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Why GAO Did This Study 

The Department of Homeland 
Security (DHS) has established a 
program — the United States Visitor 
and Immigrant Status Indicator 
Technology (US-VISIT)— to collect, 
maintain, and share information, 
including biometric identifiers, on 
selected foreign nationals who 
travel to the United States. By 
congressional mandate, DHS is to 
develop and submit for approval an 
expenditure plan for US-VISIT that 
satisfies certain conditions, 
including being reviewed by GAO. 
Among other things, GAO was 
asked to determine whether the 
plan satisfied these conditions, and 
to provide observations on the plan 
and DHS's program management. 



What GAO Recommends 



To better ensure that the US-VISIT 
program is worthy of investment, 
GAO is reiterating its previous 
recommendations aimed at 
establishing effective program 
management capabilities. 
Additionally, GAO is making 
several new recommendations 
designed to encourage stronger 
management of the initial phases of 
the US-VISIT program, including 
implementing effective test 
management practices and 
assessing the full impact of future 
US-VISIT deployment on land port 
of entry workforce levels and 
facilities. DHS agreed with all of 
GAO's recommendations and most 
of its observations. 



www.gao.gov/cgi-bin/getrpt7GAO-04-586. 

To view the full product, including the scope 
and methodology, click on the link above. 
For more information, contact Randolph C. 
Hite at (202) 512-3439 or hiter@gao.gov. 



What GAO Found 

DHS's fiscal year 2004 US-VISIT expenditure plan and related documentation 
at least partially satisfies all conditions imposed by the Congress, including 
meeting the capital planning and investment control review requirements of 
the Office of Management and Budget (OMB). For example, DHS developed 
a draft risk management plan and a process to implement and manage risks. 
However, DHS does not have a current life cycle cost estimate or a 
cost/benefit analysis for US-VISIT. The US-VISIT program merges four 
components into one integrated whole to carry out its mission (see figure). 
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GAO also developed a number of observations about the expenditure plan 
and DHS's management of the program. These generally recognize 
accomplishments to date and address the need for rigorous and disciplined 
program practices. For example, US-VISIT largely met its commitments for 
implementing an initial operating capability, known as Increment 1, in early 
January 2004, including the deployment of entry capability to 115 air and 14 
sea ports of entry. However, DHS has not employed rigorous, disciplined 
management controls typically associated with successful programs, such as 
test management, and its plans for implementing other controls, such as 
independent verification and validation, may not prove effective. More 
specifically, testing of the initial phase of the implemented system was not 
well managed and was completed after the system became operational. In 
addition, multiple test plans were developed during testing, and only the 
final test plan, completed after testing, included all required content, such as 
describing tests to be performed. Such controls, while significant for the 
initial phases of US-VISIT, are even more critical for the later phases, as the 
size and complexity of the program will only increase. Finally, DHS's plans 
for future US-VISIT resource needs at the land ports of entry, such as staff 
and facilities, are based on questionable assumptions, making future 
resource needs uncertain. 
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United States General Accounting Office 
Washington, D.C. 20548 



May 11, 2004 

The Honorable Thad Cochran 
Chairman 

The Honorable Robert C. Byrd 
Ranking Minority Member 
Subcommittee on Homeland Security 
Committee on Appropriations 
United States Senate 

The Honorable Harold Rogers 
Chairman 

The Honorable Martin Olav Sabo 
Ranking Minority Member 
Subcommittee on Homeland Security 
Committee on Appropriations 
House of Representatives 

Pursuant to the Department of Homeland Security Appropriations Act, 
2004, 1 the Department of Homeland Security (DHS) submitted to the 
Congress in January 2004 its fiscal year 2004 expenditure plan for the 
United States Visitor and Immigrant Status Indicator Technology (US- 
VISIT) program. US-VISIT is a governmentwide program to collect, 
maintain, and share information on foreign nationals. 2 The program's goals 
are to enhance national security, facilitate legitimate trade and travel, 
contribute to the integrity of the U.S. immigration system, and adhere to 
U.S. privacy laws and policies. On January 5, 2004, DHS began operating 
the first stage of its planned US-VISIT operational capability, known as 
Increment 1, at 115 air and 14 sea ports of entry (POE). 

As required by the appropriations act, we reviewed US-VISIT's fiscal year 
2004 expenditure plan. Our objectives were to (1) determine whether the 



^ub. L. 108-90 (Oct. 1, 2003). 

2 The US-VISIT program has a large number of government stakeholders, including the 
Departments of State, Transportation, Commerce, Justice, and the General Services 
Administration. State will play a significant role in creating a coordinated and interlocking 
network of border security by gathering biographic and biometric data during the 
application process for visas, grants of visa status, and the issuance of travel 
documentation. DHS inspectors will use this information at ports of entry to verify the 
identity of the foreign national. 
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expenditure plan satisfies the legislative conditions specified in the act, 3 

(2) determine the status of our US-VISIT open recommendations, 4 and 

(3) provide any other observations about the expenditure plan and DHS's 
management of US-VISIT. 

On March 2, 2004, we provided your offices with a written briefing detailing 
the results of our review. This report summarizes and transmits this 
briefing; the full briefing, including our scope and methodology, is 
reprinted as appendix I. The purpose of this report is to provide the 
published briefing slides to you and to officially transmit our 
recommendations to the Secretary of Homeland Security. 



Compliance with 
Legislative Conditions 



DHS satisfied or partially satisfied each of the applicable legislative 
conditions specified in the act. In particular, the plan, including related 
program documentation and program officials' statements, satisfied or 
provided for satisfying all key aspects of (1) compliance with the DHS 
enterprise architecture; 5 (2) federal acquisition rules, requirements, 
guidelines, and systems acquisition management practices; and (3) review 
and approval by DHS and the Office of Management and Budget (OMB). 
Additionally, the plan, including program documentation and program 
officials' statements, satisfied or provided for satisfying many, but not all, 
key aspects of OMB's capital planning and investment review requirements. 
For example, DHS fulfilled the OMB requirement that it justify and describe 
its acquisition strategy. However, DHS does not have current life cycle 
costs or a current cost/benefit analysis for US-VISIT. 



3 The legislative conditions are that the plan (1) meet the capital planning and investment 
control review requirements established by the Office of Management and Budget (OMB), 
including those in OMB Circular A-ll, part 3 (capital investment and control requirements 
are now found in part 7, rather than part-3); (2) comply with DHS's enterprise architecture; 
(3) comply with the acquisition rules, requirements, guidelines, and systems acquisition 
management practices of the federal government; (4) be reviewed and approved by DHS 
and OMB; and (5) be reviewed by GAO. 

4 Our previous recommendations regarding US-VISIT's expenditure plans were published in 
U.S. General Accounting Office, Information Technology: Homeland Security Needs to 
Improve Entry Exit System Expenditure Planning, GAO-03-563 (Washington, D.C.: June 9, 
2003) and Homeland Security: Risks Facing Key Border and Transportation Security 
Program Need to Be Addressed, GAO-03-1083 (Washington, D.C.: Sept. 19, 2003). 

Enterprise architectures are blueprints, or models, simplifying the complexity of how 
agencies operate today, how they want to operate in the future, and how they will get there. 
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StSltllS Of OpGn VHS has implemented one, and either partially implemented or has 

■p i . . initiated action to implement most of the remaining recommendations 

KeCOmmenaatlOnS contained in our reports on the fiscal year 2002 and fiscal year 2003 

expenditure plans. Each recommendation, along with its current status, is 

summarized below: 



• Develop a system security plan and privacy impact assessment. 

The department has partially implemented this recommendation. As to the 
first part of this recommendation, the program office does not have a 
system security plan for US-VISIT. However, the US-VISIT Chief 
Information Officer (CIO) accredited Increment 1 based upon security 
certifications 6 for each of Increment l's component systems and a review 
of each component's security-related documentation. Second, although the 
program office has conducted a privacy impact assessment for Increment 
1, the assessment does not satisfy all aspects of OMB guidance for 
conducting an assessment. For example, the assessment does not discuss 
alternatives to the methods of information collection, and the system 
documentation does not address privacy issues. 

• Develop and implement a plan for satisfying key acquisition 
management controls, including acquisition planning, solicitation, 
requirements management, program management, contract tracking 
and oversight, evaluation, and transition to support, and implement 
the controls in accordance with the Software Engineering Institute's 
(SEI) guidance. 1 

The department plans to implement this recommendation. The US-VISIT 
program office has assigned responsibility for implementing the 
recommended controls. However, it has not yet developed explicit plans or 
time frames for defining and implementing them. 



•"Accreditation is the authorization and approval granted to a system to process sensitive 
data in an operational environment; this is made on the basis of a compliance certification 
by designated technical personnel of the extent to which design and implementation of the 
system meet defined technical requirements for achieving data security Certification is the 
evaluation of the extent to which a system meets a set of security requirements. 

7 Carnegie Mellon University Software Engineering Institute, Software Acquisition 
Capability Maturity Model®, Version 1.03 (March 2002) defines acquisition process 
management controls for planning, managing, and controlling software-intensive system 
acquisitions. 
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• Ensure that future expenditure plans are provided to the department's 
House and Senate Appropriations Subcommittees in advance of US- 
VISIT funds being obligated. 

With respect to the fiscal year 2004 expenditure plan, DHS implemented 
this recommendation by providing the plan to the Senate and House 
subcommittees on January 27, 2004. According to the program director, as 
of February 2004 no funds had been obligated to US-VISIT. 

• Ensure that future expenditure plans fully disclose US-VISIT 
capabilities, schedule, cost, and benefits. 

The department has partially implemented this recommendation. 
Specifically, the plan describes high-level capabilities, high-level schedule 
estimates, categories of expenditures by increment, and general benefits. 
However, the plan does not describe planned capabilities by increment and 
provides only general information on how money will be spent in each 
increment. Moreover, the plan does not identify all expected benefits in 
tangible, measurable, and meaningful terms, nor does it associate any 
benefits with increments. 

• Establish and charter an executive body composed of senior-level 
representatives from DHS and each US-VISIT stakeholder 
organization to guide and direct the program. 

The department has implemented this recommendation by establishing a 
three-entity governance structure. The entities are (1) the Homeland 
Security Council, (2) the DHS Investment Review Board, and (3) the US- 
VISIT Federal Stakeholders Advisory Board. The purpose of the Homeland 
Security Council is to ensure the coordination of all homeland security- 
related activities among executive departments and agencies, and the 
Investment Review Board is expected to monitor US-VISIT's achievement 
of cost, schedule, and performance goals. The advisory board is chartered 
to provide recommendations for overseeing program management and 
performance activities, including providing advice on the overarching US- 
VISIT vision; recommending changes to the vision and strategic direction; 
and providing a communications link for aligning strategic direction, 
priorities, and resources with stakeholder operations. 

• Ensure that human capital and financial resources are provided to 
establish a fully functional and effective program office. 
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The department is in the process of implementing this recommendation. 
DHS has determined that US-VISIT will require 115 government personnel 
and has filled 41 of these, including 12 key management positions. 
However, 74 positions have yet to be filled, and all filled positions are 
staffed by detailees from other organizational units within the department. 

• Clarify the operational context in which US-VISIT is to operate. 

The department is in the process of implementing this recommendation. 
DHS released Version 1 of its enterprise architecture in October 2003, 8 and 
it plans to issue Version 2 in September 2004. 

• Determine whether proposed US-VISIT increments will produce 
mission value commensurate with cost and risks. 

The department plans to implement this recommendation. The fiscal year 
2004 expenditure plan identifies high-level benefits to be delivered, but the 
benefits are not associated with specific increments. Additionally, the plan 
does not identify the total cost of Increment 2. Program officials expected 
to finalize a cost-benefit analysis this past March and a US-VISIT life cycle 
cost estimate this past April. 

• Define program office positions, roles, and responsibilities. 

The department is in the process of implementing this recommendation. 
Program officials are currently working with the Office of Personnel 
Management to define program position descriptions, including roles and 
responsibilities. The program office has partially completed defining the 
competencies for all 12 key management areas. These competencies are to 
be used in defining the position descriptions. 

• Develop and implement a human capital strategy for the program 
office. 

The department plans to implement this recommendation in conjunction 
with DHS's ongoing workforce planning, but stated that they have yet to 
develop a human capital strategy. According to these officials, DHS's 



department of Homeland Security Enterprise Architecture Compendium Version 1.0 and 
Transitional Strategy. 
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departmental workforce plan is scheduled for completion during fiscal year 
2004. 

• Develop a risk management plan and report all high risks areas and 
their status to the program's governing body on a regular basis. 

The department has partially implemented this recommendation. The 
program has completed a draft risk management plan, and is currently 
defining risk management processes. The program is creating a risk 
management team to operate in lieu of formal processes until these are 
completed, and also maintains a risk-tracking database that is used to 
manage risks. 

• Define performance standards for each program increment that are 
measurable and reflect the limitations imposed by relying on existing 
systems. 

The department is in the process of implementing this recommendation. 
The program office has defined limited performance standards, but not all 
standards are being defined in a way that reflects the performance 
limitations of existing systems. 



Our observations recognize accomplishments to date and address the need 
for rigorous and disciplined program management practices relating to 
system testing, independent verification and validation, and system change 
control. An overview of specific observations follows: 

• Increment 1 commitments were largely met. An initial operating 
capability for entry (including biographic and biometric data collection) 
was deployed to 115 air and 14 sea ports of entry on January 5, 2004, 
with additional capabilities deployed on February 11, 2004. Exit 
capability (including biometric capture) was deployed to one air and 
one sea port of entry. 

• Increment 1 testing was not managed effectively and was completed 
after the system became operational. The Increment 1 system 
acceptance test plan 9 was developed largely during and after test 



9 The purpose of system acceptance testing is to verify that the complete system satisfies 
functional, performance, and security requirements and is acceptable to end users. 



Observations on the 
Expenditure Plan 
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execution. The department developed multiple plans, and only the final 
plan, which was done after testing was completed, included all required 
content, such as tests to be performed and test procedures. None of the 
test plan versions, including the final version, were concurred with by 
the system owner or approved by the IT project manager, as required. 
By not having a complete test plan before testing began, the US-VISIT 
program office unnecessarily increased the risk that the testing 
performed would not adequately address Increment 1 requirements and 
failed to have adequate assurance that the system was being fully tested. 
Further, by not fully testing Increment 1 before the system became 
operational, the program office assumed the risk of introducing errors 
into the deployed system. In fact, post-deployment problems surfaced 
with the Student and Exchange Visitor Information System (SEVIS) 
interface as a result of this approach, and manual work-arounds had to 
be implemented. 

• The independent verification and validation contractor's roles may be 
in conflict. 10 The US-VISIT program plans to use its contractor to review 
some of the processes and products that the contractor may be 
responsible for defining or executing. Depending on the products and 
processes in question, this approach potentially impedes the 
contractor's independence, and thus its effectiveness. 

• A program-level change control board has not been established. 11 
Changes related to Increment 1 were controlled primarily through daily 
coordination meetings (i.e., oral discussions) among representatives 
from Increment 1 component systems teams and program officials, and 
the various boards already in place for the component systems. Without 
a structured and disciplined approach to change control, program 
officials do not have adequate assurance that changes made to the 
component systems for non-US-VISIT purposes do not interfere with 
US-VISIT functionality. 



10 The purpose of independent verification and validation (IV&V) is to provide an 
independent review of system processes and products. To be effective, the IV&V function 
must be performed by an entity that is independent of the processes and products that are 
being reviewed. 

n The purpose of configuration management is to establish and maintain the integrity of 
work products (e.g., hardware, software, and documentation). A key ingredient to 
effectively controlling configuration change is the functioning of a change control board. 
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• The fiscal year 2004 expenditure plan does not disclose management 
reserve funding} 2 Program officials, including the program director, 
stated that reserve funding is embedded within the expenditure plan's 
various areas of proposed spending. However, the plan does not 
specifically disclose these embedded reserve amounts. By not creating, 
earmarking, and disclosing a specific management reserve fund in the 
plan, DHS is limiting its flexibility in addressing unexpected problems 
that could arise in the program's various areas of proposed spending, 
and it is limiting the ability of the Congress to exercise effective 
oversight of this funding. 

• Plans for future US-VISIT increments do not call for additional staff 
or facilities at land ports of entry. However, these plans are based on 
various assumptions that potential policy changes could invalidate. 
These changes could significantly increase the number of foreign 
nationals who would require processing through US-VISIT. Additionally, 
the Data Management Improvement Act Task Force's 2003 Second 
Annual Report to Congress 13 has noted that existing land port of entry 
facilities do not adequately support even the current entry and exit 
processes. Thus, future US-VISIT staffing and facility needs are 
uncertain. 



Conclusions ^ e ^ sca ^ y ear 2004 US-VISIT expenditure plan (with related program 

office documentation and representations) at least partially satisfies the 
legislative conditions imposed by the Congress. Further, steps are planned, 
under way, or completed to address most of our open recommendations. 
However, overall progress on all of our recommendations has been slow, 
and considerable work remains to fully address them. The majority of these 
recommendations are aimed at correcting fundamental limitations in the 
program office's ability to manage US-VISIT in a way that reasonably 
ensures the delivery of mission value commensurate with costs and 
provides for the delivery of promised capabilities on time and within 
budget. Given this background, it is important for DHS to implement the 



12 The creation and use of a management reserve fund to earmark resources for addressing 
the many uncertainties that are inherent in large-scale systems acquisition programs is an 
established practice and a prudent management approach. 

13 Data Management Improvement Act Task Force, Second Annual Report to Congress 
(Washington, D.C., December 2003). 
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recommendations quickly and completely through active planning and 
continuous monitoring and reporting. Until this occurs, the program will 
continue to be at high risk of not meeting expectations. 

To the US-VISIT program office's credit, the first phase of the program has 
been deployed and is operating, and the commitments that DHS made 
regarding this initial operating capability were largely met. However, this 
was not accomplished in a manner that warrants repeating. In particular, 
the program office did not employ the kind of rigorous and disciplined 
management controls that are typically associated with successful 
programs, such as effective test management and configuration 
management practices. Moreover, the second phase of US-VISIT is already 
under way, and these controls are still not established. These controls, 
while significant for the initial phases of US-VISIT, are even more critical 
for the later phases, because the size and complexity of the program will 
only increase, and the later that problems are found, the harder and more 
costly they are to fix. 

Also important at this juncture in the program's life are the still open 
questions surrounding whether the initial phases of US-VISIT will return 
value to the nation commensurate with their costs. Such questions warrant 
answers sooner rather than later, because of the program's size, 
complexity, cost, and mission significance. It is imperative that DHS move 
swiftly to address the US-VISIT program management weaknesses that we 
previously identified, by implementing our remaining open 
recommendations. It is equally essential that the department quickly 
corrects the additional weaknesses that we have identified. Doing less will 
only increase the risk associated with US-VISIT. 



To better ensure that the US-VISIT program is worthy of investment and is 
managed effectively, we are reiterating our prior recommendations, and we 
further recommend that the Secretary of Homeland Security direct the 
Under Secretary for Border and Transportation Security to ensure that the 
US-VISIT program director takes the following actions: 

• Develop and approve complete test plans before testing begins. These 
plans, at a minimum, should (1) specify the test environment, including 
test equipment, software, material, and necessary training; (2) describe 
each test to be performed, including test controls, inputs, and expected 
outputs; (3) define the test procedures to be followed in conducting the 



Recommendations for 
Executive Action 
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tests; and (4) provide traceability between test cases and the 
requirements to be verified by the testing. 

• Establish processes for ensuring the independence of the IV&V 
contractor. 



• Implement effective configuration management practices, including 
establishing a US-VISIT change control board to manage and oversee 
system changes. 

• Identify and disclose to the Appropriations Committees management 
reserve funding embedded in the fiscal year 2004 expenditure plan. 

• Ensure that all future US-VISIT expenditure plans identify and disclose 
management reserve funding. 

• Assess the full impact of a key future US-VISIT increment on land port 
of entry workforce levels and facilities, including performing 
appropriate modeling exercises. 

To ensure that our recommendations addressing fundamental program 
management weaknesses are addressed quickly and completely we further 
recommend that the Secretary direct the Under Secretary to have the 
program director develop a plan, including explicit tasks and milestones, 
for implementing all of our open recommendations, including those 
provided in this report. We further recommend that this plan provide for 
periodic reporting to the Secretary and Under Secretary on progress in 
implementing this plan. Lastly, we recommend that the Secretary report 
this progress, including reasons for delays, in all future US-VISIT 
expenditure plans. 



AgGIlCy Comments Sind * n wr itten comments on a draft of this report signed by the US-VISIT 

Director (reprinted in app. II, along with our responses), DHS agreed with 
our recommendations and most of our observations. It also stated that it 
appreciated the guidance that the report provided and described actions 
that it is taking or plans to take in response to our recommendations. 



Our Evaluation 



However, DHS stated that it did not fully agree with all of our findings, 
specifically offering comments on our characterization of the status of one 
open recommendation and two observations. First, it did not agree with 
our position that it had not developed a security plan and completed a 
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privacy impact assessment. According to DHS, it has completed both. We 
acknowledge DHS's activity on both of these issues, but disagree that 
completion of an adequate security plan and privacy impact assessment 
has occurred. As we state in the report, the department's security plan for 
US-VISIT, titled Security and Privacy: Requirements & Guidelines 
Version 1.0, is a draft document, and it does not include information 
consistent with relevant guidance for a security plan, such as a risk 
assessment methodology and specific controls for meeting security 
requirements. 14 Moreover, much of the document discusses guidelines for 
developing a security plan, rather than specific contents of a plan. Also, as 
we state in the report, the Privacy Impact Assessment was published but is 
not complete because it does not satisfy important parts of OMB guidance 
governing the content of these assessments, such as discussing alternatives 
to the designed methods of information collection and handling. 

Second, DHS stated that it did not fully agree with our observation that the 
Increment 1 system test plan was developed largely during and after 
testing, citing several steps that it took as part of Increment 1 requirements 
definition, test preparation, and test execution. However, none of the steps 
cited address our observations that DHS did not have a system acceptance 
test plan developed, approved, and available in time to use as the basis for 
conducting system acceptance testing and that only the version of the test 
plan modified on January 16, 2004 (after testing was completed) contained 
all of the required test plan content. Moreover, DHS's comments 
acknowledge that the four versions of its Increment 1 test plan were 
developed during the course of test execution, and that the test schedule 
did not permit sufficient time for all stakeholders to review, and thus 
approve, the plans. 

Third, DHS commented on the roles and responsibilities of its various 
support contractors, and stated that we cited the wrong operative 
documentation governing the role of its independent verification and 
validation contractor. While we do not question the information provided in 
DHS's comments concerning contractor roles, we would add that its 
comments omitted certain roles and responsibilities contained in the 
statement of work for one of its contractors. This omitted information is 



14 Office of Management and Budget Circular Number A- 130, Revised (Transmittal 
Memorandum No. 4), Appendix III, "Security of Federal Automated Information Resources" 
(Nov. 28, 2000) and National Institute of Standards and Technology, Guide for Developing 
Security Plans for Information Systems, NIST Special Publication 800-18 (December 
1998). 
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important because it is the basis for our observation that the program 
office planned to task the same contractor that was responsible for 
program management activities with performing independent verification 
and validation activities. Under these circumstances, the contractor could 
not be independent. In addition, we disagree with DHS's comment that we 
cited the wrong operative documentation, and note that the document DHS 
said we should have used relates to a different support contractor than the 
one tasked with both performing program activities and performing 
independent verification and validation activities. 

The department also provided additional technical comments, which we 
have incorporated as appropriate into the report. 



We are sending copies of this report to the Chairmen and Ranking Minority 
Members of other Senate and House committees and subcommittees that 
have authorization and oversight responsibilities for homeland security. We 
are also sending copies to the Secretary of State and the Director of OMB. 
Copies of this report will also be available at no charge on our Web site at 
www.gao.gov. 

Should you or your offices have any questions on matters discussed in this 
report, please contact me at (202) 512-3439 or at hiter@gao.gov. Another 
contact and key contributors to this report are listed in appendix III. 




Randolph C. Hite 

Director, Information Technology Architecture 
and Systems Issues 
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Briefing Overview 


• Introduction 




• Objectives 




• Results in Brief 




• Background 




• Results 




• Legislative Conditions 




• Status of Open Recommendations 




• Observations 




• Conclusions 




• Recommendations for Executive Action 




• Agency Comments 




• Attachment 1 . Scope and Methodology 
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Introduction 



The United States Visitor and Immigrant Status Indicator Technology (US-VISIT) 
program of the Department of Homeland Security (DHS) is a governmentwide 
program to collect, maintain, and share information on foreign nationals. The goals 
of the US-VISIT program are to 

• enhance national security, 

• facilitate legitimate trade and travel, 

• contribute to the integrity of the U.S. immigration system, 1 and 

• adhere to U.S. privacy laws and polices. 

US-VISIT capability is planned to be implemented in four increments. Increment 1 
began operating on January 5, 2004, at major air and sea ports of entry (POEs). 



1 This goal has been added since the last expenditure plan. 
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Introduction 



The US-VISIT program involves the interdependent application of people, 
processes, technology, and facilities. 



p 



:3s 



Technology 




Inspectors, 
border patrol agents, 
program management staff, 
consular officials, 
investigators, and 

adjudicators <^ US-VISIT" 
program 



Pre-entry, entry, status, 
and exit management 
policies and 
procedures 



Border facilities 




Sources: GAO (analysis), Nova Development Corp. (images). 

Note: GAO analysis based on DHS data. 
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Introduction 



The Department of Homeland Security Appropriations Act, 2004, 1 prohibits DHS 
from obligating any funds appropriated in the act for the US-VISIT program until it 
submits a plan for expenditure that satisfies the following legislative conditions. 

• Meets the capital planning and investment control review requirements 
established by the Office of Management and Budget (OMB), including OMB 
Circular A-1 1 , part 3. 2 

• Complies with DHS's enterprise architecture. 

• Complies with the acquisition rules, requirements, guidelines, and systems 
acquisition management practices of the federal government. 

• Is reviewed and approved by DHS and OMB. 

• Is reviewed by GAO. 



1 Pub. L. 108-90 (Oct. 1, 2003). 

2 OMB Circular A-1 1 establishes policy for planning, budgeting, acquisition, and management of federal capital assets. 
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Introduction 



In the Department of Homeland Security Appropriations Act, 2004, the Congress 
appropriated $330 million in fiscal year 2004 funds for the US-VISIT program. 1 

DHS submitted its fiscal year 2004 expenditure plan for $330 million on January 27, 
2004, to the House and Senate Appropriations Subcommittees on Homeland 
Security. 



1 Pub. L. 108-90 (Oct. 1, 2003). 
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As agreed, our objectives were to 

1 . determine whether the US-VISIT fiscal year 2004 expenditure plan satisfies the 
legislative conditions, 

2. determine the status of our US-VISIT open recommendations, and 

3. provide any other observations about the expenditure plan and DHS's 
management of US-VISIT. 

We conducted our work at DHS's headquarters in Washington, D.C., and at its 
Atlanta Field Operations Office (Atlanta's William B. Hartsfield International Airport) 
from October 2003 through February 2004 in accordance with generally accepted 
government auditing standards. Details of our scope and methodology are given in 
attachment 1 . 
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Fiscal Year 2004 US-VISIT Expenditure Plan's Satisfaction of Legislative 
Conditions 



Legislative conditions 


Status 


1. 


Meets the capital planning and investment control review 
requirements established by OMB, including OMB Circular A-1 1 , 
part 7. a 


Partially satisfies b 


2. 


Complies with the DHS enterprise architecture. 


Satisfies 


3. 


Complies with the acquisition rules, requirements, guidelines, and 
systems acquisition management practices of the federal 
government. 


Satisfies 


4. 


Is reviewed and approved by DHS and OMB. 


Satisfies 


5. 


Is reviewed by GAO. 


Satisfies 



Source: GAO. 

a Capital investment and control requirements are now found in OMB Circular A-1 1 , part 7, rather than part 3. 
b Satisfies or provides for satisfying many, but not all, key aspects of the condition that we reviewed. 
'Satisfies or provides for satisfying every aspect of the condition that we reviewed. 
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Status of Actions to Implement Our 12 Open Recommendations 

GAP open recommendations Status 

1 . Develop a system security plan and privacy impact assessment. Partially complete 3 

2. Develop and implement a plan for satisfying key acquisition Planned b 
management controls, including acquisition planning, solicitation, 
requirements development and management, project 

management, contract tracking and oversight, evaluation, and 
transition to support, and implement the controls in accordance 

with SEI C guidance. 

3. Ensure that future expenditure plans are provided to DHS's Complete d e 
House and Senate Appropriations Subcommittees in advance of 

US-VISIT funds being obligated. 

4. Ensure that future expenditure plans fully disclose US-VISIT Partially complete 6 
system capabilities, schedule, cost, and benefits to be delivered. 

a Actions are under way to implement the recommendation. 
b Actions are planned to implement the recommendation. 

c The Software Acquisition Capability Maturity Model® developed by Carnegie Mellon University's Software Engineering 
Institute (SEI) defines acquisition process management controls for planning, managing, and controlling software-intensive 
system acquisitions. 

d Actions have been taken to fully implement the recommendation. 
e With respect to the fiscal year 2004 expenditure plan. 
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Status of Actions to Implement Our 12 Open Recommendations 


GAO open recommendations 


Status 


5. Establish and charter an executive body composed of senior-level 
representatives from DHS and each stakeholder organization to guide 
and direct the US-VISIT program. 


Complete 


6. Ensure that human capital and financial resources are provided to 
establish a fully functional and effective US-VISIT program office. 


In progress f 


7. Clarify the operational context in which US-VISIT is to operate. 


In progress 


8. Determine whether proposed US-VISIT increments will produce 
mission value commensurate with costs and risks. 


Planned 


9. Define US-VISIT program office positions, roles, and responsibilities. 


In progress 


10. Develop and implement a human capital strategy for the US-VISIT 
program office that provides for staffing positions with individuals who 
have the appropriate knowledge, skills, and abilities. 


Planned 


1 1 . Develop a risk management plan and report all high risks and their 
status to the executive body on a regular basis. 


Partially 
complete 


12. Define performance standards for each US-VISIT increment that are 
measurable and reflect the limitations imposed by relying on existing 
systems. 


In progress 


Source: GAO. 

f Actions have been initiated to implement the recommendation. 
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Observations 

Summary of Observations 

Increment 1 

Commitments were largely met; the system is deployed and operating. 

Testing was not managed effectively; if continued, the current approach to testing 
would increase risks. 

• The system acceptance test (SAT) plan was developed largely during and after 
test execution. 

• The SAT plan available during testing was not complete. 

• SAT was not completed before the system became operational. 
Future increments 

Key program issues exist that increase risks if not resolved. 

• Independent verification and validation (IV&V) contractor's roles may be 
conflicting. 

• Program-level change control board has not been established. 

11 
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• Expenditure plan does not disclose management reserve funding. 

• Land POE workforce and facility needs are uncertain. 

To assist DHS in managing US-VISIT, we are making eight recommendations to 
the Secretary of DHS. 

In their comments on a draft of this briefing, US-VISIT program officials stated that 
they generally agreed with the briefing and that it was fair and balanced. 
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The US-VISIT program is a governmentwide endeavor intended to enhance 
national security, facilitate legitimate trade and travel, contribute to the integrity of 
the U.S. immigration system, and adhere to U.S. privacy laws and policies by 

• collecting, maintaining, and sharing information on certain foreign nationals 
who enter and exit the United States; 

• identifying foreign nationals who (1) have overstayed or violated the terms of 
their visit; (2) can receive, extend, or adjust their immigration status; or 

(3) should be apprehended or detained by law enforcement officials; 

• detecting fraudulent travel documents, verifying traveler identity, and 
determining traveler admissibility through the use of biometrics; and 

• facilitating information sharing and coordination within the border management 
community. 
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Within DHS, organizational responsibility for the US-VISIT program lies with the 
Border and Transportation Security Directorate. 

In July 2003, DHS established a US-VISIT program office with responsibility for 
managing the acquisition, deployment, operation, and sustainment of the US-VISIT 
system and supporting people (e.g., inspectors), processes (e.g., entry exit policies 
and procedures), and facilities (e.g., inspection booths). 

For the initial increments, DHS is using existing system contractors and additional 
program support contractors. 

The following graphic shows the organizational placement for the US-VISIT 
program. 
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Background 
US VISIT Organization 



Organizational Placement of US-VISIT Program (Partial DHS Organization Chart) 



US-VISIT 



Bureau of Customs 
& Border Protection 



INS inspection services 

-Agricultural Quarantine 
Inspection program 

-Border Patrol 

-Customs Service 
(including canine officers) 



Department of 
Homeland Security 
Secretary 



Deputy Secretary 



Under Secretary for Border 
& Transportation Security 



Bureau of Immigration 
& Customs Enforcement 



-INS investigative and 
enforcement functions 

-Customs investigative and 
enforcement (including air 
and marine) functions 
^Federal Protective Service 



Source: GAO. 

Note: GAO analysis based on DHS data. 



3- 



Di rector 
Bureau of Citizenship 
& Immigration Services 



NS benefits and 
immigration services 
functions 



Transportation Security 
Administration 



Aviation security functions 
(including passenger and 
baggage screening 
operations and air marshals) 

-Maritime and land security 
functions 

-Intelligence analysis and 
dissemination activities 
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Acquisition Strategy 

DHS plans to deliver US-VISIT capability incrementally. Currently, DHS has 
defined four increments, with Increments 1 through 3 being interim, or temporary, 
solutions, and Increment 4 being the yet-to-be-defined end vision for US-VISIT. 
Increments 1 through 3 include the interfacing and enhancement of existing system 
capabilities and the deployment of these capabilities to air, sea, and land POEs. 
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Increment 1 Status 

Increment 1 includes the electronic collection and matching of biographic and 
biometric information at all major air and some sea POEs for selected foreign 
travelers with visas. 1 

Increment 1 entry capability was deployed to 1 15 airports and 14 seaports on 
January 5, 2004. Increment 1 exit capability was deployed as a pilot to two POEs 
on January 5, 2004. 2 According to the Program Director, US-VISIT is developing 
other exit alternatives and criteria for evaluating and selecting the alternatives. 
According to the Director, US-VISIT expects to select one or more of the 
alternatives by December 31 , 2004. 



1 Classes of travelers that are not subject to US-VISIT are foreign nationals admitted on A-1 , A-2, C-3 (except for attendants, 
servants, or personal employees of accredited officials), G-1 , G-2, G-3, G-4, NATO-1 , NATO-2, NATO-3, NATO-4, NATO-5, 
or NATO-6 visas, unless the Secretary of State and the Secretary of Homeland Security jointly determine that a class of such 
aliens should be subject to the rule; children under the age of 14; and persons over the age of 79. 

2 The Miami Royal Caribbean seaport and the Baltimore/Washington International Airport. 
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Increment 1 

• included the development of policies, procedures, and associated training for 
implementing US-VISIT at the air and sea POEs; 

• included outreach efforts, such as brochures, demonstration videos, and 
signage at air and sea POEs; 

• did not include additional inspector staff at air and sea POEs; and 

• did not include the acquisition of additional entry facilities. For exit, DHS is in 
the process of assessing facilities space and installing conduit, electrical 
supply, and signage. 

Increment 2 Plans 

Increment 2 is divided into two Increments — 2A and 2B. 

• Increment 2A is to include at all POEs the capability to process machine- 
readable visas and other travel and entry documents that use biometric 
identifiers. This increment is to be implemented by October 26, 2004. 
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Increment 2B is to expand the Increment 1 solution for entry to secondary 
inspection 1 at the 50 highest volume land POEs by December 31 , 2004. 
According to the expenditure plan, 2B is also to include the capability to read 
radio frequency (RF) 2 enabled documents at the 50 busiest land POEs for both 
entry and exit processes. 

According to the US-VISIT Deputy Director: 

• Each of the 745 entry and exit traffic lanes at these 50 land POEs is to 
have the infrastructure, such as underground conduit, necessary to install 
the RF technology. 



1 Secondary inspection is used for more detailed inspections that may include checking more databases, conducting more 
intensive interviews of the individual, or both. 

2 RF technology would require proximity cards and card readers. RF readers read the information contained on the card 
when the card is passed near the reader, and could be used to verify the identity of the card holder. 
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• RF technology is to be installed and operating at an undetermined number 
of lanes to collect biographic information. The US-VISIT program plans to 
install the technology, at a minimum, to one entry and one exit lane for 
each of the 50 land POEs. Collecting the biographic information for exit 
would require that some form of RF-enabled documentation be provided to 
the foreign national upon entry into the country. 

• For exit lanes without RF, US-VISIT will continue to rely upon the collection 
of manually completed 1-94 forms 1 from exiting travelers. 

Increment 3 Plans 

Increment 3 is to expand Increment 2B system capability to the remaining 115 land 
POEs. It is to be implemented by December 31 , 2005. 



1 1-94 forms have been used for years to track foreign nationals' arrivals and departures. Each form is divided into two parts: 
an entry portion and an exit portion. Each form contains a unique number printed on both portions of the form for the purposes 
of subsequent recording and matching the arrival and departure records on nonimmigrants. 
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Increment 4 Plans 

Increment 4 is the yet-to-be-defined end vision of US-VISIT program capability, 
which will likely consist of a series of releases. 

DHS plans to award a single, indefinite-delivery/indefinite-quantity 1 contract to a 
prime contractor capable of integrating existing and new business processes and 
technologies. DHS issued a request for proposal (RFP) for the prime contractor in 
November 2003, as planned. DHS plans to award a contract by the end of May 
2004. According to the RFP, the prime contractor's scope of work is to include, but 
is not limited to, Increments 2B, 3, and 4. 

According to the expenditure plan, the prime contractor will support the integration 
and consolidation of processes, functionality, and data, and will develop a strategy 
to build on the technology and capabilities already available to fully support the US- 
VISIT vision. Meanwhile, the US-VISIT program will continue deploying the interim 
solution as planned and use the prime contractor to assist in the planning and 
deployment of the system, as appropriate. 

1 An indefinite-delivery/indefinite-quantity contract provides for an indefinite quantity, within stated limits, of supplies or services 
during a fixed period of time. The government schedules deliveries or performance by placing orders with the contractor. 



21 



Page 33 



GAO-04-586 Homeland Security 



Appendix I 

Briefing to the Staffs of the Subcommittees 
on Homeland Security, Senate and House 
Committees on Appropriations 



" A O Background 

^ ^ ^ Acquisition Strategy 



Accountability * Integrity * Reliability 



For facilities, DHS is working with the General Services Administration to install the 
infrastructure, such as underground conduit, to support the RF technology at 
primary vehicle inspection lanes. US-VISIT is installing the infrastructure for the 
collection of biometric and biographical information in secondary inspection areas. 

For human capital, DHS does not plan to acquire any additional inspection staff for 
Increment 2. 
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Component Systems 

US-VISIT (Increments 1 through 4) will potentially include the interfacing of over 16 
existing systems. Examples of systems included in Increment 1 are 

• Arrival Departure Information System (ADIS), a database that stores traveler 
arrival and departure data received from air and sea carrier manifests and that 
provides query and reporting functions; 

• Advance Passenger Information System (APIS), a system that captures arrival 
and departure manifest information provided by air and sea carriers; 

• Interagency Border Inspection System (IBIS), a system that maintains lookout 
(i.e., watchlist) data, 1 interfaces with other agencies' databases, and is 
currently used by inspectors at POEs to verify traveler information and modify 
data; 

1 1BIS lookout sources include: DHS's Customs and Border Protection and Immigration and Customs Enforcement; the 
Federal Bureau of Investigation; legacy Immigration and Naturalization Service and Customs information; the U.S. Secret 
Service; the U.S. Coast Guard; the Internal Revenue Service; the Drug Enforcement Agency; the Bureau of Alcohol, Tobacco 
& Firearms; the U.S. Marshals Service; the U.S. Office of Foreign Asset Control; the National Guard; the Treasury Inspector 
General; the U.S. Department of Agriculture; the Department of Defense Inspector General; the Royal Canadian Mounted 
Police; the U.S. State Department; Interpol; the Food and Drug Administration; the Financial Crimes Enforcement Network; the 
Bureau of Engraving and Printing; and the Department of Justice Office of Special Investigations. This footnote has been 
modified to include additional information obtained since the briefing's delivery to the Committees. 
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Automated Biometric Identification System (IDENT), a system that collects and 
stores biometric data about foreign visitors; 1 

Student Exchange Visitor Information System (SEVIS), a system that contains 
information on foreign students; 

Computer Linked Application Information Management System (CLAIMS 3), a 
system that contains information on foreign nationals who request benefits, 
such as change of status or extension of stay; and 

Consular Consolidated Database (CCD), a system that includes information on 
whether a visa applicant has previously applied for a visa or currently has a 
valid U.S. visa. 



1 1ncludes data such as: Federal Bureau of Investigation information on all known and suspected terrorists, selected wanted 
persons (foreign-born, unknown place of birth, previously arrested by DHS), and previous criminal histories for high-risk 
countries; DHS Immigration and Customs Enforcement information on deported felons and sexual registrants; DHS 
information on previous criminal histories and previous IDENT enrollments. Information from the bureau includes fingerprints 
from the Integrated Automated Fingerprint Identification System. This footnote has been modified to include additional 
information obtained since the briefing's delivery to the Committees. 
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Increment 1 Process 

According to DHS, Increment 1 includes the following four processes and 
capabilities: 

Pre-Entry Process: 

Pre-entry processing begins with initial petitions for visas, grants of visa status, or 
the issuance of travel documentation. When the Department of State issues the 
travel documentation, biographic (and in some cases biometric) data are collected 
and made available to border management agencies. The biometric data are 
transmitted from State to DHS, where the prints are run against the US-VISIT 
biometric database to verify identity and to check the biometric watchlist. The 
results of the biometric check are transmitted back to State. 

Commercial air and sea carriers are required by law to transmit crew and 
passenger manifests before arriving in the United States. These manifests are 
transmitted through APIS. The APIS lists are run against the biographic lookout 
system and identify those arrivals who have biometric data available. 
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In addition, POEs review the APIS list for a variety of factors that would target 
certain arriving crew and passengers for additional processing. 

Entry Process: 

When the foreign national arrives at a primary POE inspection booth, the inspector, 
using a document reader, scans the machine-readable travel documents. 
IBIS/APIS returns any existing records on the foreign national, including manifest 
data matches and biographic lookout hits. When a match is found in the manifest 
data, the foreign national's name is highlighted and outlined on the manifest data 
portion of the screen. 

Biographic information, such as name and date of birth, is displayed on the bottom 
half of the screen, as well as the photograph from State's CCD. IBIS also returns 
information about whether there are, within IDENT, existing fingerprints for the 
foreign national. 
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The inspector switches to the I DENT screen and scans the foreign national's 
fingerprints (left and right index fingers) and photograph. The system accepts the 
best fingerprints available within the 5-second scanning period. This information is 
forwarded to the I DENT database, where it is checked against stored fingerprints in 
the IDENT lookout database. If no prints are currently in the IDENT database, the 
foreign national is enrolled in US-VISIT (i.e., biographic and biometric data are 
entered). If the foreign national's fingerprints are already in IDENT, the system 
performs a 1 :1 match (a comparison of the fingerprint taken during the primary 
inspection to the one on file) to confirm that the person submitting the fingerprints is 
the person on file. If the system finds a mismatch of fingerprints or a watchlist hit, 
the foreign national is sent to secondary inspection for further screening or 
processing. 

While the system is checking the fingerprints, the inspector questions the foreign 
national about the purpose of his or her travel and length of stay. The inspector 
adds the class of admission and duration of stay information into the IBIS system, 
and stamps the "admit until" date on the I-94 form. 
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If the foreign national is ultimately determined to be inadmissible, the person is 
detained, the appropriate lookouts are posted in the databases, and appropriate 
actions are taken. 

Two hours after a flight lands and all passengers have been processed, IBIS sends 
the records showing the class of admission and the admit until date that had been 
modified by the inspector to ADIS. 

Status Management Process: 

The status management process manages the foreign national's temporary 
presence in the United States, including the adjudication of benefits applications 
and investigations into possible violations of immigration regulations. ADIS 
matches entry and exit manifest data to ensure that each record showing a foreign 
national entering the United States is matched with a record showing the foreign 
national exiting the United States. ADIS receives status information from CLAIMS 3 
and SEVIS on foreign nationals. 
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Exit Process: 

The exit process includes the carriers' submission of electronic manifest data to 
IBIS/APIS. This biographic information is passed to ADIS, where it is matched 
against entry information. At the two POEs where the exit pilot is being conducted, 
foreign nationals use a self-serve kiosk where they are prompted to scan their 
travel documentation and provide their fingerprints (right and left index fingers). On 
a daily basis, the information collected on departed passengers is downloaded to a 
CD-ROM. 1 

The CD is then express mailed to a DHS contractor facility to be uploaded into 
IDENT, where a 1 :1 match is performed (i.e., the fingerprint captured during entry 
is compared with the fingerprint captured at exit). ADIS provides the ability to run 
queries on foreign nationals who have entry information but no corresponding exit 
information. 

The following graphic shows Increment 1, as deployed on January 5, 2004. 2 

1 A CD-ROM is a digital storage device that is capable of being read, but not overwritten. 

2 CLAIMS 3's interface with ADIS was deployed and implemented on February 1 1 , 2004. 
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Background 
Increment 1 Process 



Simplified Diagram of 
US-VISIT Increment 
1 System 
Components and 
Process 



Pre-entry 



| Process 

(at air and sea 
ports of entry) 



Entry 



Status management Exit 




Foreign national 



Visitor's Biometrically-linked I 

biometrically-linked -> j docume nt reader | 



Visitor's 
I-94 form 



Sources: GAO (analysis), Nova Development Corp. (images). 
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GAO's Review of Fiscal Year 2003 Expenditure Plan 

In our report on the fiscal year 2003 expenditure plan, 1 we reported on 10 risk 
factors associated with the US-VISIT program, and we made recommendations, as 
appropriate, to address them. 

Mission is critical. 

Scope is large and complex. 

Milestones are challenging. 

Potential cost is significant. 

Existing systems have known problems. 

Governance structure is not established. 

Program management capability is not implemented. 



1 U.S. General Accounting Office, Homeland Security: Risks Facing Key Border and Transportation Security Program Need 
to Be Addressed, GAO-03-1083 (Washington, D.C.: Sept. 19, 2003). 
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• Operational context is unsettled. 

• Near-term facilities solutions pose challenges. 

• Mission value of first increment is currently unknown. 
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GAO's Review of Fiscal Year 2002 Expenditure Plan 

In our report on the fiscal year 2002 expenditure plan, 1 we reported that 

• INS intended to acquire and deploy a system with functional and performance 
capabilities consistent with the general scope of capabilities under various 
laws; 

• the plan did not provide sufficient information to allow Congress to oversee the 
program; 

• INS had not developed a security plan and privacy impact assessment; and 

• INS had not implemented acquisition management controls in the area of 
acquisition planning, solicitation, requirements development and management, 
project management, contract tracking and oversight, and evaluation consistent 
with SEI guidance. 

We made recommendations to address these areas. 

1 U.S. General Accounting Office, Information Technology: Homeland Security Needs to Improve Entry Exit System Expenditure 
Planning, GAO-03-563 (Washington, D.C.: June 9, 2003). 
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Fiscal Year 2004 Expenditure Plan Summary (see next slides for descriptions) 



Area of expenditure 


Amount 


Increment 1 — Air and Sea 


$45,000,000 


Increment 2A — Air, Sea, and Land 


73,000,000 


Increment 2B — Land 


81,000,000 


Increment 3 — Land 


3,000,000 


Program Management 


70,000,000 


Operations and Maintenance 


58,000,000 


Total 


$330,000,000 



Source: DHS. 
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Description of How Funds Are to Be Used 

Increment 1 — Air and Sea: This expenditure area includes costs to develop, field 
test, and initiate deployment of an initial exit solution (e.g., self-service kiosks), 
while evaluating additional alternative approaches, such as hand-held devices. 

Increment 2A — Air, Sea, and Land: This area includes costs to deploy the 
capability to all POEs to read biometrically enabled travel documents at secondary 
inspection facilities. 

Increment 2B — Land: This area includes costs required for the development of 
land infrastructure upgrades, system development and testing, and RF technology 
to the 50 busiest land POEs. 
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Increment 3 — Land: This expenditure area includes costs to begin technical 
infrastructure planning and development for the remaining 115 land POEs. 

Program Management: This area includes costs incurred to maintain the program 
management structure and baseline operations. 

Operations and Maintenance: This area includes operations and maintenance of 
existing information systems. After deployment, this cost is to be transferred to the 
organizations that are responsible for the individual systems. This transfer of costs 
is expected by fiscal year 2006. 
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Summary of US-VISIT Appropriations and Reported Obligations 



Fiscal year 


Available appropriations (millions) 3 


Obligated (millions) 13 


2002 


$13.3 


$7.7 C 


2003 


367.0 


367.0 


2004 


330.0 d 




Total 


$710.3 


$374.7 



Source: DHS. 

a The conference report (H.R. Conf. Rep. No. 107-350, at 416 (2001)) recommended that INS use $13.3 million in 
appropriations for the entry exit system (now US- VISIT). This amount is available until expended. The conference report 
(H.R. Conf. Rep. No. 108-10, at 623 (2003)) recommended that INS use $362 million in fiscal year 2003 funds for what 
is now US-VISIT. These funds expired at the end of fiscal year 2003. According to DHS officials, an additional $5 million 
in base resources was available from a user fee account. In the Department of Homeland Security Appropriations Act, 
2004, Congress appropriated $330 million for US-VISIT. This amount is available until expended. 
b As of February 2004. 

'Before August 2003, DHS had obligated $3.2 million of the $13.3 million in fiscal year 2002 funds. In November 2003, 
DHS requested, and in December 2003, the House and Senate Appropriations Subcommittees approved DHS's plan to 
spend the remaining $10.1 million in no-year funds from fiscal year 2002. According to the US-VISIT Budget and 
Financial Manager, as of February 23, 2004, US-VISIT had obligated $4.5 million of the $10.1 million. 
d On January 26, DHS submitted to the Senate and House Appropriations Subcommittees on Homeland Security a 
request for the release of $25 million from the fiscal year 2004 appropriations. 
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The US-VISIT expenditure plan satisfies or partially satisfies each of the legislative 
conditions. 

Condition 1. The plan, including related program documentation and program 
officials' statements, partially satisfies the capital planning and investment control 
review requirements established by OMB, including OMB Circular A-1 1 , part 7, 
which establishes policy for planning, budgeting, acquisition, and management of 
federal capital assets. 

The table that follows provides examples of the results of our analysis. 
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Objective 1 Results 
Legislative Conditions 



Examples of A-1 1 conditions 



Results of our analysis 



Provide justification and describe 
acquisition strategy. 



US-VISIT has completed an Acquisition Plan dated November 
28, 2003. The plan provides a high-level justification and 
description of the acquisition strategy for the system. 



Summarize life cycle costs and 
cost/benefit analysis, including the 
return on investment. 



DHS does not have current life cycle costs nor a current 
cost/benefit analysis for US-VISIT. According to program 
officials, US-VISIT has a draft life cycle cost estimate and 
cost/benefit analysis. Both are expected to be completed in 
March 2004. a 



Provide performance goals and 
measures. 



The plan identifies planned performance metrics. However, 
US-VISIT has not developed a baseline against which to 
measure progress or actual performance. a 



Address security and privacy. 



A security plan for US-VISIT has not been developed. Instead, 
US-VISIT was certified and accredited based upon the 
updated security certification for each of Increment 1's 
component systems. The US-VISIT program published a 
privacy impact assessment on January 5, 2004. a 



Provide risk inventory and assessment. 



US-VISIT has developed a draft risk management plan and a 
process to implement and manage risks. US-VISIT also 
maintains a risk and issues tracking database. a 



Source: GAO. 



a Our objective 2 results provide additional information on these areas. 
Note: GAO analysis based on DHS data. 
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Condition 2. The plan, including related program documentation and program 
officials' statements, satisfies this condition by providing for compliance with DHS's 
enterprise architecture. 

DHS released version 1 of the architecture in October 2003. 1 It plans to issue 
version 2 in September 2004. 

According to the DHS Chief Information Officer (CIO), DHS is developing a process 
to align its systems modernization efforts, such as US-VISIT, to its enterprise 
architecture. Alignment of US-VISIT to the enterprise architecture has not yet been 
addressed, but DHS CIO and US-VISIT officials stated that they plan to do so. 
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1 Department of Homeland Security Enterprise Architecture Compendium Version 1 .0 and Transitional Strategy. 
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Condition 3. The plan, including related program documentation and program 
officials' statements, satisfies the condition that it comply with the acquisition rules, 
requirements, guidelines, and systems acquisition management practices of the 
federal government. These criteria provide a management framework based on the 
use of rigorous and disciplined processes for planning, managing, and controlling 
the acquisition of IT resources, including acquisition planning, solicitation, 
requirements development and management, project management, contract 
tracking and oversight, and evaluation. 

The table that follows provides examples of the results of our analysis. 
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Objective 1 Results 
Legislative Conditions 



Examples of process Results of our analysis 



Acquisition planning. 
Ensures that reasonable 
preparation for the 
acquisition is conducted, 
including, among other 
things, developing an 
acquisition strategy and 
plan, estimating life cycle 
cost and schedule, and 
defining roles and 
responsibilities. 



The US-VISIT program has developed and documented an acquisition strategy and 
plan for a prime contractor to perform activities for modernizing US-VISIT business 
processes and systems, calling for, among other things, these activities to meet all 
relevant legislative requirements. Activities identified include U.S. border management- 
related work and support; other DHS-related strategic planning, and any associated 
systems development and integration, business process reengineering, organizational 
change management, information technology support, and program management work 
and support; and other business, technical, and management capabilities to meet the 
legislative mandates, operational needs, and government business requirements. 

The strategy defines a set of acquisition objectives, identifies key roles and 
responsibilities, sets general evaluation criteria, and establishes a high-level acquisition 
schedule. 

The plan describes initial tasking, identifies existing systems with which to 
interoperate/interface, defines a set of high-level risks, and lists applicable legislation. 



Solicitation. Prepares a The RFP for the prime contractor acquisition was issued on November 28, 2003. A 
solicitation package that selecting official has been assigned responsibility, and a team, including contract 
identifies the needs of a specialists, has been formed and has received training related to this acquisition. A set 
particular acquisition and of high-level evaluation factors have been defined for selecting the prime integrator, 
selects a supplier who can and the team plans to define more detailed criteria, 
best satisfy the require- 

ments of the contract. 

Source: GAO. 

Note: GAO analysis based on DHS data. 
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Condition 4 met. The plan, including related program documentation and program 
officials' statements, satisfies the requirement that it be reviewed and approved by 
DHS and OMB. 

DHS and OMB reviewed and approved the US-VISIT fiscal year 2004 expenditure 
plan. Specifically, the DHS IRB 1 approved the plan on December 17, 2003, and 
OMB approved the plan on January 27, 2004. 
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1 The IRB is the executive review board that provides acquisition oversight of DHS level 1 investments and conducts portfolio 
management. Level 1 investment criteria are contract costs exceeding $50 million; importance to DHS strategic and 
performance plans; high development, operating, or maintenance costs; high risk; high return; significant resource 
administration; and life cycle costs exceeding $200 million. According to the DHS CIO, US-VISIT is a level 1 investment. 
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Objective 1 Results 
Legislative Conditions 

Condition 5 met. The plan satisfies the requirement that it be reviewed by GAO. 
Our review was completed on March 2, 2004. 
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Open Recommendation 1: Develop a system security plan and privacy impact 
assessment. 

Status: Partially complete 

Security Plan. DHS does not have a security plan for US-VISIT. Although program 
officials provided us with a draft document entitled Security & Privacy: 
Requirements & Guidelines Version 1.0, 1 this document does not include 
information consistent with relevant guidance for a security plan. 

The OMB and the National Institute of Standards and Technology have issued 
security planning guidance. 2 In general, this guidance requires the development of 
system security plans that (1) provide an overview of the system security 
requirements, (2) include a description of the controls in place or planned for 
meeting the security requirements, (3) delineate roles and responsibilities of all 
individuals who access the system, (4) discuss a risk assessment methodology, 
and (5) address security awareness and training. 

1 Security & Privacy: Requirements & Guidelines Version 1.0 Working Draft, US-VISIT Program (May 15, 2003). 

2 Office Management and Budget Circular Number A-130, Revised (Transmittal Memorandum No. 4), Appendix III, "Security 
of Federal Automated Information Resources" (Nov. 28, 2000) and National Institute of Standards and Technology, Guide for 
Developing Security Plans for Information Systems, NIST Special Publication 800-18 (December 1998). 
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The draft document identifies security requirements for the US-VISIT program and 
addresses the need for training and awareness. However, the document does not 
include (1) specific controls for meeting the security requirements, (2) a risk 
assessment methodology, and (3) roles and responsibilities of individuals with 
system access. Moreover, with the exception of the US-VISIT security 
requirements, much of the document discusses guidelines for developing a security 
plan, rather than specific contents of US-VISIT security plan. 

Despite the absence of a security plan, the US-VISIT CIO accredited Increment 1 
based upon updated security certifications 1 for each of Increment 1's component 
systems (e.g., ADIS, IDENT, and IBIS) and a review of the documentation, 
including component security plans, associated with these updates. According to 
the security evaluation report (SER), the risks associated with each component 
system were evaluated, component system vulnerabilities were identified, and 
component system certifications were granted. 

Certification is the evaluation of the extent to which a system meets a set of security requirements. Accreditation is the 
authorization and approval granted to a system to process sensitive data in an operational environment; this is made on the 
basis of a compliance certification by designated technical personnel of the extent to which design and implementation of the 
system meet defined technical requirements for achieving data security. 
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Based on the SER, the US-VISIT security officer certified Increment 1 , and 
Increment 1 was accredited and granted an interim authority to operate for 6 
months. This authority will expire on June 18, 2004. 

Additionally, this authority would not extend to a modified version of Increment 1 . 
For example, the SER states that US-VISIT exit functionality was not part of the 
Increment 1 certification and accreditation, and that it was to be certified and 
accredited separately from Increment 1 . The SER also notes that the Increment 1 
certification will require updating upon the completion of security documentation for 
the exit functionality. 

Privacy Impact Assessment. The US-VISIT program has conducted a privacy 
impact assessment for Increment 1 . According to OMB guidance, 1 the depth and 
content of such an assessment should be appropriate for the nature of the 
information to be collected and the size and complexity of the system involved. 
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1 OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, OMB M-03-22 (Sept. 26, 2003). 
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The assessment should also, among other things, (1) identify appropriate 
measures for mitigating identified risks, (2) discuss the rationale for the final design 
or business process choice, (3) discuss alternatives to the designed information 
collection and handling, and (4) address whether privacy is provided for in system 
development documentation. 

The OMB guidance also notes that an assessment may need to be updated before 
deploying a system in order to, among other things, address choices made in 
designing the system or in information collection and handling. 

The Increment 1 assessment satisfies some, but not all, of the above four OMB 
guidance areas. Specifically, it identifies Increment 1 privacy risks, discusses 
mitigation strategies for each risk, and briefly discusses the rationale for design 
choices. However, the assessment does not discuss alternatives to the designed 
methods of information collection and handling. Additionally, the Increment 1 
systems documentation does not address privacy issues. 

According to the Program Director, the assessment will be updated for future 
increments. 
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Open Recommendation 2: Develop and implement a plan for satisfying key 
acquisition management controls, including acquisition planning, solicitation, 
requirements development and management, project management, contract 
tracking and oversight, evaluation, and transition to support, and implement the 
controls in accordance with SEI guidance. 

Status: Planned 

According to the US-VISIT Program Director, the program office has established a 
goal of achieving SEI Software Acquisition Capability Maturity Model (SA-CMM®) 
level 2, and the office's Acquisition and Program Management Lead has 
responsibility for achieving this status. To facilitate attaining this goal, the 
Acquisition and Program Management Lead's organization includes functions 
consistent with the management controls defined by the SA-CMM®, such as 
acquisition planning and requirements development and management. 
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Objective 2 Results 
Open Recommendations 



According to the Acquisition and Program Management Lead, an approach for 
achieving level 2 will be defined as part of a strategy that has yet to be developed. 
However, the lead could not provide a date for when the strategy would be 
developed. The expenditure plan indicates that the US-VISIT program office will 
solicit SEI's participation in achieving level 2. 
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Objective 2 Results 
Open Recommendations 



Open Recommendation 3: Ensure that future expenditure plans are provided to 
the Department's House and Senate Appropriations Subcommittees on Homeland 
Security in advance of US-VISIT funds being obligated. 

Status: Complete 

The Congress appropriated $330 million in fiscal year 2004 funds for the US-VISIT 
program. 1 

On January 27, 2004, DHS provided its fiscal year 2004 expenditure plan to the 
Senate and House Appropriations Subcommittees on Homeland Security. 

On January 26, 2004, DHS submitted to the Senate and House Appropriations 
Subcommittees on Homeland Security a request for the release of $25 million from 
the fiscal year 2004 appropriations. 




GAP 

Accountability * Integrity * Reliability 



1 Department of Homeland Security Appropriations Act, 2004, Pub. L. 108-90 (Oct. 1 , 2003). 
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Objective 2 Results 
Open Recommendations 

Open Recommendation 4: Ensure that future expenditure plans fully disclose US- 
VISIT system capabilities, schedule, cost, and benefits to be delivered. 

Status: Partially complete 

Capabilities 

The expenditure plan identifies high-level capabilities, such as 

• record arrival of foreign nationals, 

• identify foreign nationals who have stayed beyond the authorized period, and 

• use biometrics to verify identity of foreign nationals. 

The plan does not associate these capabilities with specific increments. 
Schedule 

The plan identifies a high-level schedule for implementing the system. For 
example, Increment 2A is to be implemented by October 26, 2004; Increment 2B 
by December 31 , 2004; and Increment 3 by December 31 , 2005. 
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Costs 

The plan identifies total fiscal year 2004 costs by each increment. For example, 
DHS plans to obligate $73 million in fiscal year 2004 funds for Increment 2A. 
However, the plan does not break out how the $73 million will be used to support 
Increment 2A, beyond indicating that the funds will be used to read biometric 
information in travel documents, including fingerprints and photos, at all ports of 
entry. Also, the plan does not identify any nongovernment costs. 

Benefits 

The plan identifies seven general benefits and planned performance metrics for 
measuring three of the seven benefits. The plan does not associate the benefits 
with increments. 

The following table shows US-VISIT benefits and whether associated metrics have 
been defined. 
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Objective 2 Results 
Open Recommendations 



Extent to Which Planned Performance Metrics Are Defined for Each Benefit 



Benefits 


Planned performance 
metric defined? 




Yes No 


Prevention of entry of high-threat or inadmissible individuals through improved 
and/or advanced access to data before the foreign national's arrival 


X 


Improved enforcement of immigration laws through improved data accuracy 
and completeness 


X 


Reduction in foreign nationals remaining in the country under unauthorized 
circumstances 


X 


Improved facilitation of legitimate travel and commerce through improved 
timeliness and accuracy of determination of traveler status 


X 


Reduced threat of terrorist attack and illegal immigration through improved 
identification of national security threats and inadmissible individuals 


X 


Improved accuracy and timeliness of the determination of foreign national 
admissibility 


X 


Improved cooperation across federal, state, and local agencies through 
improved access to foreign national data 


X 


Source: GAO. 

Note: GAO analysis based on DHS data. 
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Open Recommendation 5: Establish and charter an executive body composed of 
senior-level representatives from DHS and each stakeholder organization to guide 
and direct the US-VISIT program. 

Status: Complete 

DHS has established a three-entity governance structure. The entities are (1) the 
Homeland Security Council (HSC), (2) the DHS Investment Review Board (IRB), 
and (3) the US-VISIT Federal Stakeholders Advisory Board. 

• The HSC is tasked with ensuring the coordination of all homeland security- 
related activities among executive departments and agencies and is composed 
of senior-level executives from across the federal government. According to 
the expenditure plan, the HSC helps to set policy boundaries for the US-VISIT 
program. 
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Objective 2 Results 
Open Recommendations 



• According to DHS's investment management guidance, 1 the IRB is the 
executive review board that provides acquisition oversight of DHS level 1 
investments 2 and conducts portfolio management. The primary function of the 
IRB is to review level 1 investments for formal entry into the budget process 
and at key decision points. The plan states that the IRB is to monitor the US- 
VISIT program's achievement of cost, schedule, and performance goals. 
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1 DHS Management Directive 1400, Investment Review Process (undated). 

2 Level 1 investment criteria are contract costs exceeding $50 million; importance to DHS strategic and performance plans; 
high development, operating, or maintenance costs; high risk; high return; significant resource administration; and life cycle 
costs exceeding $200 million. According to the DHS CIO, US-VISIT is a level 1 investment. 
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• According to its charter, the Advisory Board provides recommendations for 
overseeing US-VISIT management and performance activities, including 

• providing advice on the overarching US-VISIT vision; 

• recommending the overall US-VISIT strategy and its responsiveness to all 
operational missions, both within DHS and with its participating 
government agencies; 

• recommending changes to the US-VISIT vision and strategic direction; 

• providing a communication link for aligning strategic direction, priorities, 
and resources with stakeholder operations; 

• reviewing and assessing US-VISIT programwide institutional processes to 
ensure that business, fiscal, and technical priorities are integrated and 
carried out in accordance with established priorities; and 

• reviewing and recommending new US-VISIT program initiatives, including 
the scope, funding, and programmatic resources required. 
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Objective 2 Results 
Open Recommendations 



The Advisory Board is chaired by the Under Secretary for Border and 
Transportation Security and held its first meeting on January 26, 2004. The board 
is composed of representatives from key US-VISIT stakeholder organizations, 
including the following members: 

• Chief Information Officer, Chief Financial Officer, Chief Privacy Officer, DHS 

• Chief Information Officer, U.S. Department of Justice 

• Office of International Affairs, DHS 

• Assistant Secretary for Transportation Policy, U.S. Department of Transportation 

•Assistant Commandant Marine Safety, Security and Environmental Protection, U.S. Coast Guard 

• Assistant Secretary for Policy and Planning, Border and Transportation Security Directorate 

• Assistant Secretary, Science and Technology Directorate, DHS 

• Administrator, Transportation Security Administration 

•Assistant Director, Investigations, Immigrations and Customs Enforcement 

• Director, Office of International Enforcement, Border and Transportation Security Directorate 

• Deputy Assistant Secretary, Service Industries, Tourism and Finance, U.S. Department of 
Commerce 

• Deputy Assistant Secretary, Passport Services, U.S. Department of State 

• Associate Director of Operations, Citizenship and Immigration Services 1 

• Advisory Board Counsel 

1 Title changed to reflect agency comments. 
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Open Recommendation 6: Ensure that human capital and financial resources are 
provided to establish a fully functional and effective program office. 

Status: In progress 

DHS established the US-VISIT program office in July 2003 and determined the 
office's staffing needs to be 1 15 government and 117 contractor personnel. 

As of February 2004, DHS had filled all the program office's 12 key management 
and 29 other positions, leaving 74 positions to be filled. All filled positions are 
currently staffed by detailees from other organizational units within DHS, such as 
Immigration and Customs Enforcement. 

The graphic on the next page shows the US-VISIT program office organization 
structure and functions, the number of positions needed by each office, and the 
number of positions filled by detailees. 
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Objective 2 Results 
Open Recommendations 



US-VISIT Program Organizational 
Structure, Functions, and Filled and Vacant 
Positions 



Director 



Deputy Director 



ID 



Chief Strategist 



□ □□□□ 



• Enterprise 
strategic/planning 

■ Governance 

■ Policy, privacy, and 
business rules 
Organization change 
management 



Mission Operations 
Management 

■ ■■■■ 

□ □□□□ 

□ □□□□ 

□ □□ 



- Business process 
reengineering 

- Requirements 
development 

- Policies and 
procedures 

- Business transition 

- Business results 
management 

- Mission operations 
center 



I — | Legal and Regulatory Support 
■ ■□ 



1 — Administration and Management 

□ □□□□ 



Implementation 
Management 



□ □□□□ 

- Increment 1 

- Increment 2 

- Increment 3 

- Increment 4 



Budget and Financial 
Management 



- Portfolio management 

- Financial management 

- Performance management 



Outreach 
Management 



Liaison 

■ Communications 
Oversight 



Information Technology 
Management 



□ □□□ 



- Technical standards 
and biometrics 

- Enterprise architecture 
and engineering 
coordination 

- Enterprise architecture 

- Enterprise engineering 

- Transition management 

- Test and evaluation 
-Training 

- Security 



Acquisition & Program 
Management 



□ □□□□ 

□ □ 



- Acquisition strategy 

- Contracts management 

- Policies, procedures, 
and regulations 

- Program planning 

- Risk management 

- Requirements 
management 

- Quality assurance 

- Program control 

- Process improvement 

- Document management 

- Configuration 
management 



Facilities Management 



□ 



Planning, integration, 
and execution 
Port of entry management 
Environmental management 
Lease acquisition 
management 
GIS management 1 
Traffic model analysis 
Interagency requirements 
development 
Schedule, budget, 
contracts, risk management 



■ Detailed positions 
□ Vacant positions 

Source: GAO, 



Note: GAO analysis based on DHS data. 

1 A geographic information system (GIS) is a system of computer software, hardware, and data used to manipulate, analyze, and graphically present a 
potentially wide array of information associated with geographic locations. 
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In addition to the 1 15 government staff anticipated, the program anticipated 117 
contractor support staff. As of February 2004, program officials told us they had 
filled 97.5 of these 117. 
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Open Recommendation 7: Clarify the operational context in which US-VISIT is to 
operate. 

Status: In progress 

DHS is in the process of defining the operational context in which US-VISIT is to 
operate. In October 2003, DHS released version 1 of its enterprise architecture, 
and it plans to issue version 2 in September 2004. 1 We are currently reviewing 
DHS's latest version of its architecture at the request of the House Committee on 
Government Reform's Subcommittee on Technology, Information Policy, 
Intergovernmental Relations, and the Census. 
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1 Department of Homeland Security Enterprise Architecture Compendium Version 1 .0 and Transitional Strategy. 
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Open Recommendation 8: Determine whether proposed US-VISIT increments will 
produce mission value commensurate with cost and risks. 

Status: Planned 

The expenditure plan identifies high-level benefits to be provided by the US-VISIT 
program, such as the ability to prevent the entry of high-threat or inadmissible 
individuals through improved and/or advanced access to data before the foreign 
national's arrival. However, the plan does not associate these benefits with specific 
increments. Further, the plan does not identify the total estimated cost of Increment 
2. Instead, the plan identifies only fiscal year 2004 funds to be obligated for 
Increments 2A and 2B, which are $73 million and $81 million, respectively. In 
addition, the plan does not include any nongovernmental costs associated with US- 
VISIT. The RFP indicates that the total solution for Increment 2 has not been 
determined and will not be finalized until the prime contractor is on board. Until that 
time, DHS is not in a position to determine the total cost of Increments 2A and 2B, 
and thus whether they will produce mission value commensurate with costs. 
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Objective 2 Results 
Open Recommendations 



According to program officials, they have developed a life cycle cost estimate and 
cost-benefit analysis that are currently being reviewed and are to be completed in 
March 2004. According to these officials, the cost-benefit analysis will be for 
Increment 2B. 
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Open Recommendation 9: Define US-VISIT program office positions, roles, and 
responsibilities. 

Status: In progress 

The US-VISIT program is working with the Office of Personnel Management (OPM) 
through an interagency agreement to, among other things, assist the program 
office in defining its position descriptions (including position roles and 
responsibilities), issuing vacancy announcements, and recruiting persons to fill the 
positions. 

The US-VISIT program is also working with OPM to define the competencies that 
are to be used in defining the position descriptions. As of February 2004, the 
program office reported that it has partially completed defining the competencies 
for its 12 offices and has partially competed position descriptions for 4 of the 12 
offices. 

The following slide shows the competencies defined and position descriptions 
written. 
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Program Office Written Position Descriptions and Core Competencies Developed 



Office 


Written position descriptions 


Core competencies developed 


Director 


© 


© 


Deputy Director 


O 


© 


Legal and Regulatory 


O 


© 


Chief Strategist 


O 




Mission Operations Management 


O 


© 


Information Technology Management 


o 


© 


Implementation Management 


© 


© 


Facilities Management 


O 


© 


Budget and Financial Management 


o 


© 


Outreach Management 


o 


© 


Acquisition/Program Management 


o 


© 


Administration and Management 


o 


© 



O No 

^ Partial 

Source: GAO. 

Note: GAO analysis based on DHS data. 
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Open Recommendation 10: Develop and implement a human capital strategy for 
the US-VISIT program office that provides for staffing positions with individuals who 
have the appropriate knowledge, skills, and abilities. 

Status: Planned 

The US-VISIT program office has not yet defined a human capital strategy, 
although program officials stated that they plan to develop one in concert with the 
department's ongoing workforce planning. As part of its effort, DHS is drafting a 
departmental workforce plan that, according to agency officials, will likely be 
completed during fiscal year 2004. 

According to the Program Director, the Director of Administration and Management 
is responsible for developing the program's strategic human capital plan. However, 
descriptions of the Administration and Management office functions, including 
those provided by the program office and those in the expenditure plan, do not 
include strategic human capital planning. 
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Open Recommendations 



Open Recommendation 1 1 : Develop a risk management plan and report all high 
risks and their status to the executive body on a regular basis. 

Status: Partially complete 

The program office has developed a draft risk management plan, dated June 2003. 
The draft defines plans to develop, implement, and institutionalize a risk 
management program. The program's primary function is to identify and mitigate 
US-VISIT risks. 

The expenditure plan states that the program office is currently defining risk 
management processes. In the interim, the program office is creating a risk 
management team to assist the program office in proactively identifying and 
managing risks while formal processes and procedures are being developed. 
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Open Recommendations 



The expenditure plan also states that the US-VISIT program office currently 
maintains a risk and issue tracking database and conducts weekly risk and 
schedule meetings. Within the risk database, each risk is assigned a risk impact 
rating and an owner. The database also gives the date when the risk is considered 
closed. In addition, the US-VISIT program office has staff dedicated to tracking 
these items and meeting weekly with the various integrated project teams to 
mitigate potential risks. 
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Open Recommendation 12: Define performance standards for each US-VISIT 
increment that are measurable and reflect the limitations imposed by relying on 
existing systems. 

Status: In progress 

US-VISIT has defined limited, measurable performance standards. For example: 

• System availability 1 — the system shall be available 99.5 percent of the time. 

• Data currency — (1) US-VISIT Increment 1 Doc Key 2 data shall be made 
available to any interfacing US-VISIT system within 24 hours of the event 
(enrollment, biometric encounter, departure, inspector modified data); 

(2) IBIS/APIS arrival manifests, departure manifests, and inspector-modified 
data shall be made available to ADIS within 24 hours of each stated event; and 

(3) IDENT shall reconcile a biometric encounter within 24 hours of the event. 
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1 System availability is defined as the time the system is operating satisfactorily, expressed as a percentage of time that the 
system is required to be operational. 

2 DocKey includes such information as biographical data and the fingerprint identification number, and is used to track a foreign 
national's identity as the information is shared between systems. 
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Objective 2 Results 
Open Recommendations 



However, not all performance standards are being defined in a way that reflects the 
performance limitations of existing systems. 

In particular, US-VISIT documentation states that the system performance standard 
for Increment 1 is 99.5 percent. However, Increment 1 availability is the product of 
its component system availabilities. Given that US-VISIT system documentation 
also states that the system availability performance standard for IDENT and ADIS 
is 99.5 percent, Increment 1 system availability would have to be something less 
than 99.5 percent (99.5 x 99.5 x other component systems' availability). 
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Observations: Increment 1 



Observation 1: Increment 1 commitments were largely met; the system is 
deployed and operating. 

According to DHS, Increment 1 was to deliver an initial operating capability to all air 
and sea POEs by December 31 , 2003, that included 

• recording the arrival and departure of foreign nationals using passenger and 
crew manifest data, 

• verifying foreign nationals' identity upon entry into the United States through 
the use of biometrics and checks against watchlists at air POEs and 13 of 42 
sea POEs, 

• interfacing with seven existing systems that contain data about foreign 
nationals, 

• identifying foreign nationals who have overstayed their visits or changed their 
visitor status, and 

• potentially including an exit capability beyond the capture of the manifest data. 
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Objective 3 Results 
Observations: Increment 1 



Generally, an initial operating capability was delivered to air and sea POEs on 
January 5, 2004. In particular, Increment 1 entry capability (including biographic 
and biometric data collection) was deployed to 1 15 airports and 14 seaports on 
January 5, 2004. Further, while the expenditure plan states that an Increment 1 exit 
capability was deployed to 80 air and 14 sea POEs on January 5, 2004, exit 
capability (including biometric capture) was deployed to only one air POE 
(Baltimore/Washington International Airport) and one sea POE (Miami Royal 
Caribbean seaport). 

DHS's specific satisfaction of each commitment is described on the following 
slides. 
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1 INS Data Management Improvement Act of 2000, Pub. L. 106-215 (June 15, 2000). 
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Objective 3 Results 
Observations: Increment 1 



Recording the arrival and departure of foreign nationals using passenger and crew 
manifest data: 

• Satisfied: Carriers submit electronic arrival and departure manifest data to 
IBIS/APIS. 

Verifying foreign nationals' identity upon entry into the United States through the 
use of biometrics and checks against watchlists at air POEs and 13 sea POEs: 

• Satisfied: After carriers submit electronic manifest data to IBIS/APIS, 
IBIS/APIS is queried to determine whether there is any biographic lookout or 
visa information for the foreign national. Once the foreign national arrives at a 
primary POE inspection booth, the inspector, using a document reader, scans 
the machine-readable travel documents. IBIS/APIS returns any existing 
records on the foreign national, including manifest data matches and 
biographic lookout hits. When a match is found in the manifest data, the 
foreign national's name is highlighted and outlined on the manifest data portion 
of the screen. 
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(Verifying foreign nationals' identity, cont'd) 

• Biographic information, such as name and date of birth, is displayed on the 
bottom half of the screen, as well as the picture from the scanned visa. IBIS 
also returns information about whether there are, within IDENT, existing 
fingerprints for the foreign national. 

• The inspector switches to the IDENT screen and scans the foreign national's 
fingerprints (left and right index fingers) and photograph. The system accepts 
the best fingerprints available within the 5-second scanning period. This 
information is forwarded to the IDENT database, where it is checked against 
stored fingerprints in the IDENT lookout database. If no prints are currently in 
the IDENT database, the foreign national is enrolled in US-VISIT (i.e., 
biographic and biometric data are entered). If the foreign national's fingerprints 
are already in IDENT, the system performs a 1 :1 match (a comparison of the 
fingerprint taken during the primary inspection to the one on file) to confirm that 
the person submitting the fingerprints is the person on file. If the system finds a 
mismatch of fingerprints or a watchlist hit, the foreign national is sent to 
secondary inspection for further screening or processing. 
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Interfacing seven existing systems that contain data about foreign nationals: 

• Largely satisfied: As of January 5, 2004, US-VISIT interfaced six of seven 
existing systems. The CLAIMS 3 to ADIS interface was not operational on 
January 5, 2004, but program officials told us that it was subsequently placed 
into production on February 1 1 , 2004. 

Identifying foreign nationals who have overstayed their visits or changed their 
visitor status: 

• Largely satisfied: ADIS matches entry and exit manifest data provided by air 
and sea carriers. The exit process includes the carriers' submission of 
electronic manifest data to IBIS/APIS. This biographic information is passed to 
ADIS, where it is matched against entry information. 
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(Verifying foreign nationals who overstay or change status, cont'd) 

• US-VISIT was to rely on interfaces with CLAIMS 3 and SEVIS to obtain 
information regarding changes in visitor status. However, as of January 5, 
2004, the CLAIMS 3 interface was not operational; it was subsequently placed 
into production on February 1 1 , 2004. Further, although the SEVIS to ADIS 
interface was implemented on January 5, 2004, after January 5, problems 
surfaced, and manual workarounds had to be implemented. According to the 
program officials, the problems are still being addressed. 
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Potentially include an exit capability beyond the capture of the manifest data: 

• Not satisfied: Biometric exit capability was not deployed to the 80 air 1 and 14 
sea POEs that received Increment 1 capability. Instead, biometric exit 
capability was provided to two POEs for pilot testing. Under this testing, foreign 
nationals use a self-serve kiosk where they are prompted to scan their travel 
documentation and provide their fingerprints (right and left index fingers). On a 
daily basis, the information collected on departed passengers is downloaded to 
a CD-ROM. 2 The CD is then express mailed to a DHS contractor facility to be 
uploaded into IDENT, where a 1:1 match is performed (i.e., the fingerprint 
captured during entry is compared with the one captured at exit). 

• According to program officials, biometric capture for exit was deployed at two 
POEs on January 5, 2004, as a pilot. According to these officials, this exit 
capability was deployed to only two POEs because US-VISIT decided to 
evaluate other exit alternatives. 

1 Only 80 of the 1 15 air POEs are departure airports for international flights. 

2 A CD-ROM is a digital storage device that is capable of being read, but not overwritten. 
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Objective 3 Results 
Observations: Testing 



Observation 2: The system acceptance test (SAT) plan was developed largely 
during and after test execution. 

The purpose of SAT is to identify and correct system defects (i.e., unmet system 
functional, performance, and interface requirements) and thereby obtain 
reasonable assurance that the system performs as specified before it is deployed 
and operationally used. To be effective, testing activities should be planned and 
implemented in a structured and disciplined fashion. Among other things, this 
includes developing effective test plans to guide the testing activities. According to 
relevant systems development guidance, 1 SAT plans are to be developed before 
test execution. 

However, this was not the case for Increment 1 . Specifically, the US-VISIT program 
provided us with four versions of a test plan, each containing more information than 
the previous version. While the initial version was dated September 18, 2003, 
which is before testing began, the three subsequent versions (all dated November 
17, 2003) were modified on November 25, 2003, December 18, 2003, and January 
16, 2004, respectively. 

1 According to US-VISIT officials, in the absence of a DHS Systems Development Life Cycle (SDLC), they followed the former 
Immigration and Naturalization Service's SDLC, version 6.0, to manage US-VISIT development. 
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Objective 3 Results 
Observations: Testing 



According to the program office, the version modified on January 16, 2004, is the 
final plan. According to the SAT Test Analysis Report (dated January 23, 2004), 
testing began on September 29, 2003, and was completed on January 7, 2004, 
meaning that the plans governing the execution of testing were not sufficiently 
developed before test execution. 1 

The following timeline compares test plan development and execution. 
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According to an IT management program official, although the Test Analysis Report was marked "Final," it is still being 
reviewed. 
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Timeline Comparing Test Plan Development and Test Execution 



Test plan 1 



Plan dated 
9/18/03 



I 



Test plan 2 



Plan dated 
11/17/03 



Plan modified 
11/25/03 



Test plan 3 



Plan dated 
11/17/03 



Plan modified 
12/18/03 



I 



Test plan 4 



Plan dated 
11/17/03 



Plan modified 
1/16/04 



I 



September 



October 



November 



December 



2003 



9/29/03 



Testing 
began 



January 
2004 



1/7/04 



Testing 
completed 



Source: GAO. 

Note: GAO analysis based on DHS data. 
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According to US-VISIT officials, SAT test plans were not completed before testing 
began because of the compressed schedule for testing. According to these 
officials, a draft test plan was developed and periodically updated to reflect 
documentation provided by the component contractors. 

In the absence of a complete test plan before testing began, the US-VISIT program 
office unnecessarily increased the risk that the testing performed would not 
adequately address Increment 1 requirements, which increased the chances of 
either having to redo already executed tests or deploy a system that would not 
perform as intended. In fact, postdeployment problems surfaced with the SEVIS 
interface, and manual workarounds had to be implemented. According to the 
program officials, the problems are still being addressed. 
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Observation 3: SAT plan available during testing was not complete. 

To be effective, testing activities should be planned and implemented in a 
structured and disciplined fashion. Among other things, this includes developing 
effective test plans to guide the testing activities. According to relevant systems 
development guidance, a complete test plan (1) specifies the test environment, 
including test equipment, software, material, and necessary training; (2) describes 
each test to be performed, including test controls, inputs, and expected outputs; 
(3) defines the test procedures to be followed in conducting the tests; and (4) 
provides traceability between test cases and the requirements to be verified by the 
testing. 1 This guidance also requires that the system owner concur with, and the IT 
project manager approve, the test plan before SAT testing. 
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1 According to US-VISIT officials, in the absence of a DHS Systems Development Life Cycle (SDLC), they followed the former 
Immigration and Naturalization Service's SDLC, version 6.0, to manage US-VISIT development. 
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As previously noted, the US-VISIT program office provided us with four versions of 
the SAT test plan. The first three versions of the plan were not complete. The final 
plan largely satisfied the above criteria. 

• The September 18, 2003, test plan included a description of the test 
environment and a brief description of tests to be performed, but the 
description of the tests did not include controls, inputs, and expected outputs. 
Further, the plan did not include specific test procedures for implementing the 
test cases and provide traceability between the test cases and the 
requirements that they were designed to test. 

• Similarly, the November 25, 2003, test plan included a description of the test 
environment and a brief description of tests to be performed, but the 
description of the tests did not include controls, inputs, and expected outputs. 
Further, the plan did not include specific test procedures for implementing the 
test cases or provide traceability between the test cases and the requirements 
they were designed to test. 
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• The December 18, 2003, test plan included a description of the test 
environment and a brief description of 55 tests to be performed. The plan also 
described actual test procedures and controls, inputs, and expected outputs for 
24 of the 55 test cases. The plan included traceability between the test cases 
and requirements. 

• The January 16, 2004, test plan included a description of the test environment; 
the tests to be performed, including inputs, controls, and expected outputs; the 
actual test procedures for each test case; and traceability between the test 
cases and requirements. 

None of the test plan versions, including the final version, indicated concurrence by 
the system owner or approval by the IT project manager. 

The following graphic shows the SAT plans' satisfaction of relevant criteria. 
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Objective 3 Results 
Observations: Testing 



SAT Plans' Satisfaction of Relevant Criteria 
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Objective 3 Results 
Observations: Testing 



According to US-VISIT officials, SAT test plans were not completed before testing 
began because the compressed schedule necessitated continuously updating the 
plan as documentation was provided by the component contractors. According to 
an IT management official, test cases were nevertheless available for ADIS and 
IDENT in these systems' regression test plans or in a test case repository. 

Without a complete test plan for Increment 1 , DHS did not have adequate 
assurance that the system was being fully tested, and it unnecessarily assumed the 
risk that errors detected would not be addressed before the system was deployed, 
and that the system would not perform as intended when deployed. In fact, 
postdeployment problems surfaced with the SEVIS interface, and manual 
workarounds had to be implemented. According to the program officials, the 
problems are still being addressed. 
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Observation 4: SAT was not completed before the system became operational. 

The purpose of SAT is to identify and correct system defects (i.e., unmet system 
functional, performance, and interface requirements) and thereby obtain 
reasonable assurance that the system performs as specified before it is deployed 
and operationally used. SAT is accomplished in part by (1) executing a predefined 
set of test cases, each traceable to one or more system requirements, 
(2) determining if test case outcomes produce expected results, and (3) correcting 
identified problems. To the extent that test cases are not executed, the scope of 
system testing can be impaired, and thus the level of assurance that the system will 
perform satisfactorily is reduced. 

Increment 1 began operating on January 5, 2004. However, according to the SAT 
Test Analysis Report, testing was completed 2 days after Increment 1 began 
operating (January 7, 2004). Moreover, the Test Analysis Report shows that 
important test cases were not executed. For example, none of the test cases 
designed to test the CLAIMS 3 and SEVIS interfaces were executed. 
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According to agency officials, the CLAIMS 3 to ADIS interface was not ready for 
acceptance testing before January 5, 2004. Accordingly, deployment of this 
capability and the associated testing were deferred; they were completed on 
February 1 1 , 2004. 

Similarly, the SEVIS to ADIS interface was not ready for testing before January 5, 
2004. However, this interface was implemented on January 5, 2004, without 
acceptance testing. According to program officials, the program owner and 
technical project managers were aware of the risks associated with this approach. 

By not fully testing Increment 1 before the system became operational, the program 
office assumed the risk of introducing errors into the deployed system and 
potentially jeopardizing its ability to effectively perform its core functions. In fact, 
postdeployment problems surfaced with the SEVIS interface as a result of this 
approach, and manual workarounds had to be implemented. According to the 
program officials, the problems are still being addressed. 
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Observation 5: Independent verification and validation (IV&V) contractor's roles 
may be conflicting. 

As we have previously reported, 1 the purpose of independent verification and 
validation (IV&V) is to provide an independent review of system processes and 
products. The use of IV&V is a recognized best practice for large and complex 
system development and acquisition projects like US-VISIT. To be effective, the 
IV&V function must be performed by an entity that is independent of the processes 
and products that are being reviewed. 

The US-VISIT program plans to use its IV&V contractor to review some of the 
processes and products that the contractor may be responsible for. For example, 
the contractor statement of work, dated July 18, 2003, states that it shall provide 
program and project management support, including providing guidance and 
direction and creating some of the strategic program and project level products. At 
the same time, the statement of work states that the contractor will assess 
contractor and agency performance and technical documents. 

1 U.S. General Accounting Office, Customs Service Modernization: Results of Review of First Automated Commercial 
Environment Expenditure Plan, GAO-01-696 (Washington, D.C.: June 5, 2001). 
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Depending on the products and processes in question, this approach potentially 
does not satisfy the independence requirements of effective IV&V, because the 
reviews conducted could lack independence from program cost and schedule 
pressures. Without effective IV&V, DHS is unnecessarily exposing itself to the risk 
that US-VISIT increments will not perform as intended or be delivered on time and 
within budget. 
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Observation 6: Program-level change control board has not been established. 

The purpose of configuration management is to establish and maintain the integrity 
of work products (e.g., hardware.software, and documentation). According to 
relevant guidance, 1 system configuration management includes four management 
tasks: (1) identification of hardware and software parts (items/components/ 
subcomponents) to be formally managed, (2) control of changes to the parts, 
(3) periodic reporting on configuration status, and (4) periodic auditing of 
configuration status. A key ingredient to effectively controlling configuration change 
is the functioning of a change control board (CCB); using such a board is a 
structured and disciplined approach for evaluating and approving proposed 
configuration changes. 



1 SEI's Capability Maturity Model ® Integration (CMMI SM ) for Systems Engineering, Software Engineering, Integrated Product 
and Process Development, and Supplier Sourcing, Version 1 .1 (Pittsburgh: March 2002). 
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According to the US-VISIT CIO, the program does not yet have a change control 
board. In the absence of one, program officials told us that changes related to 
Increment 1 were controlled primarily through daily coordination meetings (i.e., oral 
discussions) among representatives from Increment 1 component systems (e.g., 
IDENT, ADIS, and IBIS) teams and program officials, and the CCBs already in 
place for the component systems. 

The following graphic depicts the US-VISIT program's interim change control board 
approach compared to a structured and disciplined program-level change control 
approach. In particular, the interim approach requires individuals from each system 
component to interface with as many as six other stakeholders on system changes. 
Moreover, these interactions are via human-to-human communication. In contrast, 
the alternative approach reduces the number of interfaces to one for each 
component system and relies on electronic interactions with a single control point 
and an authoritative configuration data store. 
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Simplified Diagram Comparing US-VISIT and Alternative Approach 
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Without a structured and disciplined approach to change control, the US-VISIT 
program does not have adequate assurance that approved system changes are 
actually made; that approved changes are based, in part, on US-VISIT impact and 
value rather than solely on system component needs; and most importantly, that 
changes made to the component systems for non-US-VISIT purposes do not 
interfere with US-VISIT functionality. 
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Observation 7: Expenditure plan does not disclose management reserve funding. 

The creation and use of a management reserve fund to earmark resources for 
addressing the many uncertainties that are inherent in large-scale systems 
acquisition programs is an established practice and a prudent management 
approach. The appropriations committees have historically supported an explicitly 
designated management reserve fund in expenditure plans submitted for such 
programs as the Internal Revenue Service's Business Systems Modernization and 
DHS's Automated Commercial Environment. Such explicit designation provides the 
agency with a flexible resource source for addressing unexpected contingencies 
that can inevitably arise in any area of proposed spending on the program, and it 
provides the Congress with sufficient understanding about management reserve 
funding needs and plans to exercise oversight over the amount of funding and its 
use. 



96 



Page 108 



GAO-04-586 Homeland Security 



Appendix I 

Briefing to the Staffs of the Subcommittees 
on Homeland Security, Senate and House 
Committees on Appropriations 



A f^i Objective 3 Results 

^ ^ Observations: Management Reserve 



Accountability * Integrity * Reliability 



The fiscal year 2004 US-VISIT expenditure plan does not contain an explicitly 
designated management reserve fund. According to US-VISIT officials, including 
the program director, reserve funding is instead embedded within the expenditure 
plan's various areas of proposed spending. However, the plan does not specifically 
disclose these embedded reserve amounts. We requested but have yet to receive 
information on the location and amounts of reserve funding embedded in the plan. 1 

By not creating, earmarking, and disclosing a specific management reserve fund in 
its fiscal year 2004 US-VISIT expenditure plan, DHS is limiting its flexibility in 
addressing unexpected problems that could arise in the program's various areas of 
proposed spending, and it is limiting the ability of the Congress to exercise effective 
oversight of this funding. 



1 1n agency comments on a draft of this report, US-VISIT stated that it supported establishing a management reserve and 
would be revising its fiscal year 2004 expenditure plan to identify a discrete management reserve amount. 
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Observations: Workforce and Facilities 



Observation 8: Land POE workforce and facility needs are uncertain. 

Effectively planning for program resource needs, such as staffing levels and facility 
additions or improvements, depends on a number of factors, including the 
assumptions being made about the scope of the program and the sufficiency of 
existing staffing levels and facilities. Without reliable assumptions, the resulting 
projections of resource needs are at best uncertain. 

For entry at land POEs, DHS plans for Increment 2B do not call for additional staff 
or facilities. The plans do not call for acquiring and deploying any additional staff to 
collect biometrics while processing foreign nationals through secondary inspection 
areas. Similarly, these plans provide for using existing facilities, augmented only by 
such infrastructure improvements as conduits, electrical supply, and signage. For 
ex/fat land POEs, DHS's plans for Increment 2B also do not call for additional staff 
or facilities, although they do provide for installation of RF technology at yet-to-be- 
defined locations in the facility area to record exit information. 



98 



Page 110 



GAO-04-586 Homeland Security 



Appendix I 

Briefing to the Staffs of the Subcommittees 
on Homeland Security, Senate and House 
Committees on Appropriations 



Q A Q Objective 3 Results 



Accountability * Integrity * Reliability 



Observations: Workforce and Facilities 



US-VISIT Increment 2B workforce and facility plans are based on various 
assumptions, including (1) no additional foreign nationals will need to go to 
secondary inspection and (2) the average time needed to capture the biometric 
information will be 15 seconds, based on the Increment 1 experience at air POEs. 
However, these assumptions raise questions for several reasons. 

• According to DHS program officials, including the Acting Increment 2B 
Program Manager, the Director of Facilities and Engineering, and the Program 
Director, any policy changes that could significantly increase the number of 
foreign nationals who would require processing through US-VISIT could impact 
these assumptions and thus staffing and facilities needs. 

• According to the Increment 1 pilot test results, the average time needed to 
capture biometric information is 19 seconds. Moreover, DHS facilities told us 
that they have yet to model the impact of even the additional 1 5 seconds for 
secondary inspections. 
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Observations: Workforce and Facilities 



Moreover, according to a report from the Data Management Improvement Act Task 
Force, 1 existing land POE facilities do not adequately support even the current 
entry and exit processes. In particular, more than 100 land POEs have less than 50 
percent of the required capacity (workforce and facilities) to support current 
inspection processes and traffic workloads. 

To assist in its planning, the US-VISIT program office has begun facility feasibility 
assessments and space utilization studies at each land POE. Until such analysis is 
completed, the assumptions being used to support Increment 2B workforce and 
facility planning will be questionable, and the projected workforce and facility 
resource needs will be uncertain. 



1 Data Management Improvement Act Task Force, Second Annual Report to the Congress (Washington, D.C., December 
2003). 
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Conclusions 



The fiscal year 2004 US-VISIT expenditure plan (with related program office 
documentation and representations) either partially satisfies or satisfies the 
legislative conditions imposed by the Congress. Further, steps are planned, under 
way, or completed to address most of our open recommendations. However, 
overall progress on all our recommendations has been slow, and considerable 
work remains to fully address them. The majority of these recommendations are 
aimed at correcting fundamental limitations in the program office's ability to 
manage US-VISIT in a way that reasonably ensures the delivery of mission value 
commensurate with costs and provides for the delivery of promised capabilities on 
time and within budget. Given this background, it is important for DHS to implement 
the recommendations quickly and completely through active planning and 
continuous monitoring and reporting. Until this occurs, the program will continue to 
be at high risk of not meeting expectations. 

To the US-VISIT program office's credit, the first phase of the program has been 
deployed and is operating, and the commitments that DHS made regarding this 
initial operating capability were largely met. However, this was not accomplished in 
a manner that warrants repeating. 
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Conclusions 



In particular, the program office did not employ the kind of rigorous and disciplined 
management controls that are typically associated with successful programs, such 
as effective test management and configuration management practices. Moreover, 
the second phase of US-VISIT is already under way, and these controls are still not 
established. These controls, while significant for the initial phases of US-VISIT, are 
even more critical for the later phases, because the size and complexity of the 
program will only increase, and the later problems are found, the harder and more 
costly they are to fix. 

Also important at this juncture in the program's life are the still open questions 
surrounding whether the initial phases of US-VISIT will return value to the nation in 
line with their costs. Such questions warrant answers sooner rather than later, 
because of the program's size, complexity, cost, and mission significance. 

It is imperative that DHS move swiftly to address the US-VISIT program 
management weaknesses that we previously identified by implementing our 
remaining open recommendations. It is equally paramount that the department 
quickly correct the additional weaknesses that we have identified. To do less 
increases the risk associated with US-VISIT. 
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Recommendations for Executive Action 



To better ensure that the US-VISIT program is worthy of investment and is 
managed effectively, we are reiterating our prior recommendations, and we further 
recommend that the Secretary of DHS direct the Under Secretary for Border and 
Transportation Security to ensure that the US-VISIT program director takes the 
following actions: 

• Develop and approve complete test plans before testing begins. These plans, 
at a minimum, should (1) specify the test environment, including test 
equipment, software, material, and necessary training; (2) describe each test 
to be performed, including test controls, inputs, and expected outputs; 

(3) define the test procedures to be followed in conducting the tests; and 

(4) provide traceability between test cases and the requirements to be verified 
by the testing. 

• Establish processes for ensuring the independence of the IV&V contractor. 

• Implement effective configuration management practices, including 
establishing a US-VISIT change control board to manage and oversee system 
changes. 
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Recommendations for Executive Action 



• Identify and disclose management reserve funding embedded in the fiscal year 
2004 expenditure plan to the Appropriations Committees. 

• Ensure that all future US-VISIT expenditure plans identify and disclose 
management reserve funding. 

• Assess the full impact of Increment 2B on land POE workforce levels and 
facilities, including performing appropriate modeling exercises. 

To ensure that our recommendations addressing fundamental program 
management weaknesses are addressed quickly and completely, we further 
recommend that the Secretary direct the Under Secretary to have the program 
director develop a plan, including explicit tasks and milestones, for implementing all 
our open recommendations, including those provided in this report. We further 
recommend that this plan provide for periodic reporting to the Secretary and Under 
Secretary on progress in implementing this plan. Last, we recommend that the 
Secretary report this progress, including reasons for delays, in all future US-VISIT 
expenditure plans. 
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We provided this briefing to and discussed its contents with the US-VISIT program 
officials, including the Program Director. These officials stated that they generally 
agreed with our findings, conclusions, and recommendations, and stated that the 
briefing was fair and balanced. The department also provided some technical 
comments, which we have incorporated into the briefing, as appropriate. 
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Attachment 1 
Scope and Methodology 



To accomplish our objectives, we 

• analyzed the expenditure plan against legislative conditions and other relevant 
federal requirements, guidance, and best practices to determine the extent to 
which the conditions were met; 

• analyzed key acquisition management controls documentation and interviewed 
program officials to determine the status of our open recommendations; 

• analyzed supporting documentation and interviewed program officials to 
determine capabilities in key program management areas, such as acquisition 
planning, enterprise architecture, and project management; 

• analyzed Increment 1 systems and software testing documentation and 
compared them to relevant guidance to determine completeness; 

• observed the Increment 1 pilot test in Atlanta; 

• attended program working group meetings; and 
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Attachment 1 
Scope and Methodology 



• assessed DHS's plans and ongoing and completed actions to establish and 
implement the US-VISIT program (including acquiring the US-VISIT system, 
expanding and modifying existing port of entry facilities, and developing and 
implementing policies and procedures) and compared them to existing 
guidance to assess risks. 

For DHS-provided data that we did not substantiate, we have made appropriate 
attribution indicating the data's source. 

We conducted our work at DHS's headquarters in Washington, D.C., and at its 
Atlanta Field Operations Office (Atlanta's William B. Hartsfield International Airport) 
from October 2003 through February 2004 in accordance with generally accepted 
government auditing standards. 
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U.S. Department of Homeland Security 

Washington, DC 20528 




Homeland 
Security 



27 April 2004 
Randolph C. Hite 

Director, Information Technology Architecture 

And Systems Issues 
U.S. General Accounting Office 
Washington, DC 20548 



Dear Mr. Hite: 

Thank you for the opportunity to review the draft report, Homeland Security: First 
Phase of Visitor and Immigration Status Program Operating, but Improvements Needed (GAO- 
04-586). The Department of Homeland Security largely agrees with GAO on the majority of the 
findings. However, there are some findings with which we cannot agree, and we have provided 
appropriate comments in the enclosure. You will also note that we have concurred with, and 
addressed, the new recommendations generated by this review. 

As you know, US-VISIT represents the greatest advancement in border technology in 
three decades. The Department of Homeland Security established US-VISIT to achieve the 
following goals: 

• Enhance the safety of our citizens and visitors; 

• Facilitate legitimate travel and trade; 

• Ensure the integrity of our immigration system; and 

• Protect the privacy of travelers to the United States. 

The first increment of US-VISIT was deployed on time and within budget, and has 
exceeded the mandate established by Congress as it includes biometrics ahead of schedule. On 
January 5, 2004, US-VISIT entry procedures were operational at 1 15 airports and 14 seaports 
and by the end of this year US-VISIT will be in operation at our 50 busiest land ports of entry. 
In addition, we began pilot testing biometric exit procedures at one airport and one seaport and 
will be expanding to additional pilot locations later this summer. 

As of April 20, 2004, more than three million foreign visitors have been processed 
through the US-VISIT entry procedures - without any increase in wait times. On average, US- 
VISIT procedures take less than 1 5 seconds during the inspection process. 

US-VISIT has already matched over 300 persons against criminal databases and 
prevented more than 1 00 known or suspected criminals from entering the country. Over 200 
were matched while applying for a visa at a State Department post overseas. 
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Through the US-VISIT biometric process, the Departments of Homeland Security and 
State have identified many individuals who are the subjects of lookout records. These included 
rapists, drug traffickers, convicted criminals, and those who have committed immigration 
offenses or visa fraud. 

US- VIS IT is critical to our national security as well as our economic security, and its 
implementation is already making a significant contribution to the efforts of the Department to 
provide a safer and more secure America. We recognize that we have a long way still to go. We 
will build upon the initial framework and solid foundation to ensure that we continue to meet our 
goals of enhancing the security of our citizens and visitors while facilitating travel for the 
millions of visitors we welcome each year. 

For all the successes of US-VISIT, the Department realizes, and your report supports the 
fact, that we need to improve the management of the program. We have already established a 
great deal of the foundation for meeting future challenges and will continue to improve the 
necessary disciplines for excellent program management. We realize that much needs to be 
done, and we appreciate the guidance that reports such as this provide. 



Sincerely, 




Enclosure 
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Enclosure: Proposed Changes, Clarifications, and Responses to Recommendations 
for Draft Report GAO-04-586 



Letter to Sen. Cochran and Rep. Rogers: 

Page 3, Status of Open Recommendations: 



See comment 1 . 



See comment 2. 



1. Develop a system security plan and privacy impact assessment. 

The US- VISIT program does have an existing security plan. In addition, as GAO notes in the 
explanation of this action item, US-VISIT did complete a Privacy Impact Assessment for 
Increment 1. As US- VISIT proceeds with future increments, these documents will be updated to 
reflect changes in the program. 

Pages. 3-6, Status of Open Recommendations 2 through 12: 

With respect to recommendations 2 through 12, we recognize GAO' acknowledges that US- 
VISIT has implemented, partially implemented, or plans to implement them. While we could 
offer minor clarifications to the status of these issues, we agree in general with the 
recommendations and therefore provide no further comment. 



Page 6, Observations on the Expenditure Plan 



A management reserve fund has been identified in the amount of $33 million in fiscal year 2004. 
However, this was not specifically detailed in the FY 2004 Expenditure Plan. While we concur 
with the concept for such a reserve, our concern lies with any potential restrictions and/or new 
approval processes that may accompany such a set-aside. 

Page 10 - Recommendations for Executive Action: 

1 . Develop and approve complete test plans before testing begins. These plans, at a minimum, 
should (1) specify the test environment, including test equipment, software, material, and 
necessary training; (2) describe each test to be performed, including test controls, inputs, and 
expected outputs; (3) define the test procedures to be followed in conducting the tests; and 
(4) provide traceability between test cases and the requirements to be verified by the testing. 

We concur. Complete test plans will be developed and approved before future testing begins. 
Corrective action completed. 

2. Establish processes for ensuring the independence of the IV & V contractor. 

We concur. US-VISIT is aggressively researching IV&V resources that will be utilized to 
independently evaluate any future development work to be performed by the US-VISIT 
prime integrator and future increments. Corrective action completed. 
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See comment 3. 



See comment 4. 



See comment 5. 



3. Implement effective configuration management practices, including establishing a US-VISIT 
change control board to manage and oversee system changes. 

We concur. Effective configuration management practices for US-VISIT will be 
implemented. Corrective action in progress. 

4. Identify and disclose management reserve funding embedded in the fiscal year 2004 
expenditure plan to the Appropriations Committees. 

We concur. The FY 2004 Expenditure Plan has been revised to identify a $33 million 
management reserve, separate from incremental spending Corrective action completed. 

5. Ensure that all future US-VISIT expenditure plans identify and disclose management reserve 
funding. 

We concur. All future expenditure plans will identify and disclose management reserve 
funding. Corrective action completed. 

6. Assess the full impact of a key future US-VISIT increment [2B] on land port of entry 
workforce levels and facilities, including performing appropriate modeling exercises. 

We concur. A full reassessment of the impact of Increment 2B will be performed with the 
new prime contractor, pending award of the contract in May 2004. Corrective action in 
progress. 

Slides: 

Slide 58 

The listing of membership for the US-VISIT Advisory Board needs correction. The "Associate 
Director of Operations, Customs and Immigration Services" needs to be changed to 
". ..Citizenship and Immigration Services." In addition, the "Assistant Commissioner, Office of 
Field Operations, Customs and Border Protection" needs to be added. 

Slide 70. Observation 2: The system test (SAT) plan was developed largely during and after 
testing (and Recommendations. Slide 103) . 

US-VISIT does not fully concur with the observation that the systems test plan was developed 
largely during and after testing. A comprehensive test strategy outlining the work pattern to be 
following for independent end-to-end testing was developed in a structured and disciplined 
fashion and was approved by the US- VISIT Chief Information Officer in May 2003. This 
document outlined the environment and interfaces to be tested, as well as assumptions and 
constraints. Coordination between the US-VISIT IV&V contractor and the component 
development teams (CPB/ICE/TSA/CIS) took place from July through September 2003 to ensure 
that Use Cases were documented from the US-VISIT Functional Requirements Document and 
that technical requirements regarding the environment were resolved prior to the commencement 
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of testing in September 2003. These Use Cases were the basis for the development of the Draft 
Test Plan that was delivered on September 19, 2003. Furthermore, since US-VISIT Increment 1 
leveraged established systems, test cases were available in previous test plans and were 
established in the test cases repository of Test Director (the software toolset/application utilized 
by the independent testers). Additional versions of the Test Plan were developed throughout the 
Systems Assurance Testing period due to corrections or inclusion of clarifying data provided by 
the component development teams. Throughout this iterative process the overarching Use Cases 
were never modified. US-VISIT does agree with GAO's observation that the compressed 
timeline did not allow ample time for all US-VISIT stakeholders to review the draft Test Plan, 
although daily status reports were provided as a basis for validating that all Use Cases were fully 
tested, as documented in the Test Analysis Report. 



Slide 90-91 



The US-VISIT program office was established in July 2003 and acquired two contractors, PEC 
(Program Office Support) and the MITRE Corporation (FFRDC), to initially help with the 
implementation of the program office (PO), acquisition of a prime contractor, and establishment 
of SA-CMM compliant processes and procedures to guide and manage the US-VISIT program 
acquisition. 



See comment 6. 



See comment 7. 



During the initiation phase, PEC is responsible for helping the PO with the establishment of 
plans, processes, and procedures for program planning and program/project management and 
control. Once these processes are established, PEC will assist in executing these processes, 
under PO direction. MITRE is responsible for assisting with strategic planning for the program 
and PO. MITRE is also responsible for assisting the PO in the acquisition and source selection 
of the prime contractor, and for working with PEC to ensure that the program planning, 
management, and control processes being developed are SA-CMM compliant and that an 
effective process improvement program is being put in place. 

As the program moves to the execution phase, PEC will continue to provide program 
management planning and process execution support. MITRE will focus on providing oversight 
of the prime contractor and PO support contractor to ensure that: 

• SA-CMM compliant processes are being followed 

• The plans, designs, and products being developed by the prime contractor address the 
program requirements, conform to the DHS enterprise architecture, and are cost-effective for 
the government 

• The program risks are being identified and managed 

• The performance of the program (US-VISIT mission goals and program management 
controls) is being measured and validated 

Slide 90. Observation 5: Independent verification and validation (IV&V) contractor's roles 
may be conflicting . 

The US-VISIT program office endorses the concept of Independent Validation and Verification 
(IV&V) as a mechanism to provide an independent review of system processes and work 
products. Furthermore, US- VISIT recognizes the need for the IV&V to be independent of the 
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See comment 8. 



processes and products that are being developed. US-VISIT utilized an existing IY&V vehicle 
for Increment 1 that was available through the Bureau of Immigration and Customs Enforcement 
(ICE) and identified by DHS as a center of excellence. Unit testing was performed by 
component system owners and their respective application development contractors under 
distinctly separate task orders, while end-to-end, security, and performance testing was 
completed by SAIC. The technology IV&V work completed under this contract vehicle was 
provided by SAIC under Task Order 02-SM/I-IRM-417, dated September 25, 2003. GAO 
incorrectly cited the July 18, 2003, statement of work for other general program and project 
management support. The scope of the September 25, 2003, task order specifically addressed 
the provision for technical governance, systems assurance standards and direction, as well as 
independent end-to-end testing. 

Slide 92, Observation 6: Program-level change control board has not been established (and 
Recommendations, Slide 103) . 

The US-VISIT program office endorses a structured and disciplined approach to change control 
and is actively building a process to establish and maintain the integrity of work products with its 
stakeholders. While the principles of software configuration management were followed based 
on the ICE Enterprise Systems Assurance Plan (i.e., the establishment of a Functional Baseline 
[FB] and Allocated Baseline [AB], versioned naming conventions for software, and recording all 
documentation to an Enterprise Library) a formal Change Control Board was not established 
prior to the implementation of Increment 1. It is the intention of the US-VISIT Program Office 
to institute a CM process that will define policy for any modifications or System Change 
Requests for any future releases of software. 
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The following are GAO's comments on the Department of Homeland 
Security's letter dated April 27, 2004. 



QAO Comments I- ^ e ^° not a 8 ree that the US-VISIT program has a security plan. In 

response to our request for the US-VISIT security plan, DHS provided a 
draft document entitled Security and Privacy: Requirements & 
Guidelines Version 1.0. However, as we state in the report, this 
document does not include information consistent with relevant 
guidance for a security plan. 1 For example, this guidance states that a 
system security plan should (1) provide an overview of the system 
security requirements, (2) include a description of the controls in place 
or planned for meeting the requirements, (3) delineate roles and 
responsibilities of all individuals who have access to the system, 

(4) describe the risk assessment methodology to be used, and 

(5) address security awareness and training. The document provided by 
DHS addressed two of these requirements — security requirements and 
training and awareness. As we state in the report, the document does 
not (1) describe specific controls to satisfy the security requirements, 
(2) describe the risk assessment methodology, and (3) identify roles 
and responsibilities of individuals with system access. Further, much of 
the document discusses guidelines for developing a security plan, 
rather than providing the specific content expected of a plan. 

2. Although DHS has completed a Privacy Impact Assessment for 
Increment 1, the assessment is not consistent with the Office of 
Management and Budget guidance. 2 This guidance says that a Privacy 
Impact Assessment should, among other things, (1) identify 
appropriate measures for mitigating identified risks, (2) discuss the 
rationale for the final design or business process choice, (3) discuss 
alternatives to the designed information collection and handling, and 
(4) address whether privacy is provided for in system development and 
documentation. While the Privacy Impact Assessment for US-VISIT 



Office of Management and Budget Circular Number A-130, Revised (Transmittal 
Memorandum No. 4), Appendix III, "Security of Federal Automated Information Resources" 
(Nov. 28, 2000) and National Institute of Standards and Technology, Guide for Developing 
Security Plans for Information Systems, NIST Special Publication 800-18 (December 
1998). 

2 OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, 
OMB M-03-22 (Sept. 26, 2003). 
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Increment 1 discusses mitigation strategies for identified risks and 
briefly discusses the rationale for design choices, it does not discuss 
alternatives to the designed information collection and handling. 
Further, Increment 1 system documentation does not address privacy. 

3. DHS's comments did not include a copy of its revised fiscal year 2004 
expenditure plan because, according to an agency official, OMB has not 
yet approved the revised plan for release, and thus we cannot 
substantiate its comments concerning either the amount or the 
disclosure of management reserve funding. Further, we are not aware 
of any unduly burdensome restrictions and/or approval processes for 
using such a reserve. We have modified our report to reflect DHS's 
statement that it supports establishing a management reserve and the 
status of revisions to its expenditure plan. 



4. We have modified the report as appropriate to reflect these comments 
and subsequent oral comments concerning the membership of the US- 
VISIT Advisory Board. 



5. We do not believe that DHS's comments provide any evidence to 
counter our observation that the system acceptance test plan was 
developed largely during and after testing. In general, these comments 
concern the Increment 1 test strategy, test contractor and component 
system development team coordination, Increment 1 use cases, and 
pre-existing component system test cases, none of which are related to 
our point about the completeness of the four versions of the test plan. 
More specifically, our observation does not address whether or not an 
Increment 1 test strategy was developed and approved, although we 
would note that the version of the strategy that the program office 
provided to us was incomplete, was undated, and did not indicate any 
level of approval. Further, our observation does not address whether 
some unspecified level of coordination occurred between the test 
contractor and the component system development teams; it does not 
concern the development, modification, and use of Increment 1 
"overarching" use cases, although we acknowledge that such use cases 
are important in developing test cases; and it does not address the pre- 
existence of component system test cases and their residence in a test 
case repository, although we note that when we previously asked for 
additional information on this repository, none was provided. 

Rather, our observation concerns whether a sufficiently defined US- 
VISIT Increment 1 system acceptance test plan was developed, 
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approved, and available in time to be used as the basis for conducting 
system acceptance testing. As we state in the report, to be sufficient 
such a plan should, among other things, define the full complement of 
test cases, including inputs and outputs, and the procedures for 
executing these test cases. Moreover, these test cases should be 
traceable to system requirements. However, as we state in our report, 
this content was added to the Increment 1 test plan during the course of 
testing, and only the version of the test plan modified January 16, 2004, 
contained all of this content. Moreover, DHS's comments recognize that 
these test plan versions were developed during the course of test 
execution and that the test schedule did not permit sufficient time for 
all stakeholders to review the versions. 

6. We do not disagree with DHS's comments describing the roles and 
responsibilities of its program office support contractor and its 
Federally Funded Research and Development Center (FFRDC) 
contractor. However, DHS's description of the FFRDC contractor's 
roles and responsibilities do not cover all of the taskings envisioned for 
this contractor. Specifically, DHS's comments state that the FFRDC 
contractor is to execute such program and project management 
activities as strategic planning, contractor source selection, acquisition 
management, risk management, and performance management. These 
roles and responsibilities are consistent with the FFRDC contractor's 
statement of work that was provided by DHS. However, DHS's 
comments omit other roles and responsibilities specified in this 
statement of work. In particular, the comments do not cite that this 
contractor is also to conduct audits and evaluations in the form of 
independent verification and validation activities. It is this audit and 
evaluation role, particularly the independence element, which is the 
basis for our concern and observation. As we note above and state in 
the report, US-VISIT program plans and the contractor's statement of 
work provide for using the same contractor both to perform program 
and project management activities, including creation of related 
products, and to assess those activities and products. Under these 
circumstances, the contractor could not be sufficiently independent to 
effectively discharge the audit and evaluation tasks. 

7. We do not agree with DHS's comment that we cited the wrong operative 
documentation pertaining to US-VISIT independent verification and 
validation plans. As discussed in our comment No. 6, the statement of 
work that we cite in the report relates to DHS plans to use the FFRDC 
contractor to both perform program and project management activities 
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and develop related products and to audit and evaluate those activities 
and products. The testing contractor and testing activities discussed in 
DHS comments are separate and distinct from our observation about 
DHS plans for using the FFRDC contractor. Accordingly, our report 
does not make any observation regarding the independence of the 
testing contractor. 

8. We agree that US-VISIT lacks a change control board and support 
DHS's stated commitment to establish a structured and disciplined 
change control process that would include such a board. 
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and to help improve the performance and accountability of the federal 
government for the American people. GAO examines the use of public funds; 
evaluates federal programs and policies; and provides analyses, 
recommendations, and other assistance to help Congress make informed 
oversight, policy, and funding decisions. GAO's commitment to good government 
is reflected in its core values of accountability, integrity, and reliability. 
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